Lesson Learned: IT-OT Convergence
Gary Williams knows one answer to the IT-OT security schismBy Gregory Hale, editor/founder ISSSource
Williams, the Schneider Electric Senior Director of Technology, Cyber Security and Communications, found a case where IT and OT were not working well together so the manufacturer sent both IT and OT to school to learn about each other’s area of expertise.
“What we have is a mismatch in environments,” said Andrew Kling, Director of Cybersecurity and Architecture at Schneider Electric. “It’s a mismatch in products executing in the environments; the environment is changing very fast, but the products in those environments aren’t. When you get to a plant and the environment the plant exists in, At the plant level, the cyber environment is evolving at a very rapid pace, but the technology inside is not. For a user to say they are going to keep up with the evolutionary speed of the cyber realities of the world, would be a significant statement, not even necessarily feasible from a business standpoint. We are going to have to make our products flexible enough to keep up with the changing environment. We need PLCs that are intrinsically secure from the beginning, as well as components, and firmware and other techniques that can be added-- not bolted on-- but added to the system.”
All of that with a television remote control.Using a simple device, the attacker was able to penetrate a network and cause damage. In today’s hectic industrial environment, manufacturers for the most part cannot rely on themselves for protection. They need to focus on making product. That is where a solid security plan where workers are educated and know what, or what not, to do, or partner with a quality provider that can work its[?] magic on keeping systems up and running.
Manufacturers need to keep the process going. Security, company leaders will say, is this “new-fangled” thing that costs money and slows down production. They really don’t see it as a business enabler that can help keep systems up and running.
“In operations management there is very little time for security,” said Andrew Kling, Director of Cybersecurity and Architecture at Schneider Electric. “But as you go higher into the organization, you’ll find they increasingly have more time. The stories tilt away from fear and toward what is the risk to my corporate reputation and what is the risk to my ability to produce my widget and make a profit. That is where they do have time to think about cybersecurity. They are thinking about plant risk and risk management.”
FUD Fading Away
Fear, uncertainty and doubt (FUD) was all the rage 10 years ago when cybersecurity first came to light. But the chicken little, sky is falling fear mongering is going away with an intelligent approach to understanding the issue and methodically addressing it is coming to the fore.
Instead cyberattacks, internal and external, are continuing to grow. Just take a look at a recent Ponemon Institute cybersecurity research study. Fifty-three percent of respondents said they suffered at least one data breach in the past two years, while 68 percent don’t believe their organizations have the ability to remain resilient in the wake of a cyberattack. And 66 percent aren’t confident in their organization’s ability to effectively recover from an attack.
“Once senior managers are educated, they begin to look at cybersecurity, they see what is in the media, they see the risks and threats,” said Gary Williams, Schneider Electric Senior Director of Technology, Cyber Security and Communications. “They do an analysis as to whether they would be able to withstand a threat. And once they realize they don’t have a necessary skill set or the necessary hardware features to prevent an attack, they consider additional services. Because the alternative, of course, is to just disconnect.”
“The ability to take real time process control information
and make it available at the business level
so rapid decisions can be made is happening now ..
we went from talking about it to delivering it in one year “
-Andrew Kling , Schneider Electric
That changing environment means more sensors, more connections coming from across the Internet – in other words the Industrial Internet of Things (IIoT). A typical process plant cluster, has around 40,000 sensors. Add IIoT on top of that and it will increase those numbers to something like 250,000 sensors or more per plant..
“The ability to take real-time process control information and make it available at the business level so rapid decisions can be made is happening now,” Kling said. “We went from talking about it to delivering it in one year. It does start to bring new and different challenges because as you try to integrate some of the business-level awareness of what is going on at the process control level, you have to account for it in your cyber security solution.”
IIoT will help solve key business issues all plants face in terms of production efficiency, process reliability and safety, along with moving ancient legacy systems into the new age. But because of the sheer volume, it is forcing IT and OT to work together to enable the manufacturer to take advantage of all things new technology and connectivity bring.
“You have to understand the business outcome,” said Caglayan Arkan, general manager of Microsoft’s worldwide manufacturing and resources sector enterprise and partner group during a panel discussion at an industry conference.
“It is about humans working together,” said Jeff Reed, senior vice president and general manager, Enterprise Infrastructure and Solutions, Cisco, at the same conference. “It is really about getting the teams together and ensuring security. IT and OT need to work together, and manufacturing needs to help bridge that divide.”
IT-OT Security Levels
It is easy to say IT security is years ahead of OT, and the manufacturing sector can learn from that. While that is true, Williams has a different perspective.
“From an OT perspective the security is probably better now than it has ever been,” he said. “We are using active directory; we have mechanisms that can provide patches and antivirus updates; we now use role-based access control, we have host-intrusion detection systems. From an OT perspective, they have come a long way in a short period of time. You can say they are behind IT, but the drivers for IT are totally different than OT.”
Changing an email server will probably take about 10 hours and if it is down for that amount of time, it will only affect the mail. From an OT perspective, Williams said, “It can’t even be down for one hour because it is going to interrupt productivity. That is when you start hearing conversations about redundancy or virtual environments which are methodologies we can use to test the latest patch or update that will not have any detrimental effect to the operation that is currently running. So, they are not behind, they just have different cultures and they have different drivers.”
Meeting of the Minds
When it comes to IT-OT convergence, you can go to school and know there has to be a “meeting of the minds” between the two, but it will take some time.
“There will still be the old time OT mindset in place, Kling said. "Think about if there was were a revolutionary process control idea that would double your production and raise your profits, would it be accepted tomorrow? No, it would not. It would take years for acceptance. It is the same thing for IT-OT convergence. OT is not going to react that fast. But, here is the big one. We know there is a rapid drain on OT skill and it will be replaced with new blood coming into the marketplace. People growing up with laptops under their arms, with tablets in this connected world. It will take a little bit of time, but the new entrants into the marketplace will bring the new opportunities for adoption."
For related information, click on any of the links below:• [White paper series] Preparing for the IIoT, exploring the impact.
• Organizations with the latest generation technologies can attract millennials seeking “interesting” jobs
• Cybersecurity in the connected enterprise
• Marathon of Security - Securing Device-by-Device Will Elevate Cyber Profile
• Industrial Cybersecurity services