Removing IT/OT barriers to ensure plant floor safety, operational integrity

Cybersecurity Insights

• Information technology (IT) and operational technology (OT) teams assume the other side is responsible for industrial control system (ICS) technology, and that is not the case. Both should be responsible.
• Companies should be applying the same due diligence to the OT side of security as they do for the IT side and that requires a major mindset shift from both sides.
• Getting the two sides to work toward common goals and understanding each other’s priorities will be key to narrowing the culture and mindset gap the two sides have.

The convergence of enterprise network management and industrial equipment management due to the Industrial Internet of Things (IIoT), Industry 4.0 and industry-wide digital transformation has left many organizations struggling to keep up with cybersecurity issues. Whether it’s the C-Suite or operational teams, everyone assumes someone has ownership of industrial automation equipment safety.

The challenge is most internal teams assume industrial control system (ICS) cybersecurity is someone else’s responsibility and not their own, with each side pointing the finger at the other. IT and OT departments should take steps to lower barriers so they can improve safety and operational integrity on the plant floor together.

The information technology (IT) safety, cybersecurity perspective

While confusion commonly exists around ownership for ICS equipment safety and cybersecurity, the fact is IT teams are not overseeing or responsible for the day-to-day operation of ICSs. Safety and operational process integrity is not a function or responsibility that typically belongs with IT. When operating within the confines of the industrial environment, IT is required to adhere to safety measures, policies and procedures. However, IT does not determine policy or procedures for equipment on the industrial plant floor. Nor do they administer critical activities surrounding ICSs.

Expecting IT to manage the security of operational technology toolsets or ICS-specific protocols and device types on the plant floor is not reasonable. They do not have the skillset, toolsets, experience or bandwidth to handle operational safety in addition to the enterprise network responsibilities they manage and oversee.

The operational technology (OT) safety, cybersecurity perspective

The interesting and unfortunate challenge most engineering and operations teams overseeing ICS equipment face is they lack budget, resources, skills, expertise and knowledge of cyber risks and prevention relating to industrial equipment. The first step to securing the operational environment is for OT to acknowledge their role and accept responsibility for cybersecurity throughout the industrial manufacturing or critical infrastructure environment.

Some OT practitioners also are aware of the pitfalls to mitigate and remediate old or aging equipment. Patching, upgrading, or replacing outdated equipment and systems are cost prohibitive, so they often choose to do nothing. While this is not a wise stance to take, the operations team at a minimum needs to accept ownership for the security of ICS equipment.

Removing the barriers to improve safety on the plant floor

Most organizations do not have a good grasp of what is connected in their OT environment. Every organization needs to get an accurate, up to date ICS/OT inventory and a documented list of all common vulnerabilities and exposures (CVEs) for each asset. This can be achieved by deploying a continuous monitoring platform that tracks the ICS digital footprint.

On average, there is a 25:1 ratio for OT devices to each IT endpoint device. Unfortunately, the resource and budget allocations do not reflect the ratio of devices needing to be managed and protected from adverse events.

The primary question an organization should be asking themselves is: Are we applying the same or similar technologies, governance, policies and procedures, and due diligence to your operational equipment and OT environment that you do for IT? If not, why not?

For example, if IT installs a firewall between the IT and OT environments, OT should also install and control its own firewall. Prudence would dictate if the the IT environment is protected from OT, then OT needs to have a barrier to protect itself from IT, as well. If there is an industrial demilitarized zone (IDMZ) level 3.5 in the ISA-95 / Purdue Model there would be 2 firewalls with each group owning and managing its own.

Industrial control system (ICS) cybersecurity is the responsibility of the information technology (IT) and operational technology (OT) side and need to be on top of things. Courtesy: Velta Technology

Five day-to-day strategies that can help lower IT, OT barriers

The silos between IT and OT need to come down so they are more interconnected when it comes to understanding, communication and accountability. A regular cadence needs to be created between IT and OT. IT departments also should learn and demonstrate they have a grasp of day-to-day plant operations.

1. IT and OT involvement in production cycles

IT should be part of the planned and scheduled maintenance routines and learn common safety practices including how and why certain rules apply. They should understand full production cycles from line and product changeovers to seasonal production activities.

2. IT and OT decision-making

IT should also be invited to be part of all decisions relating to automation technology. For example, if the OT teams are pursuing lifecycle, expansions or upgrades, IT should be part of the process every step of the way. IT should review the technology decisions related to ICS infrastructure and networks including technology choices, architectures, service & support agreements.

3. Third-party involvement: IT, OT knowledge

IT should discover and know how third parties are engaging with the OT network in relation to maintenance and support of ICS equipment. Third-party network connections through ICS equipment can impact the safety of the enterprise.

4. Asset visibility for IT, OT

One of the first steps to upgrading security on the plant floor is to get an accurate, up-to-date ICS/OT inventory and a documented list of all common vulnerabilities and exposures (CVE’s) for each asset. This can be achieved by deploying a continuous monitoring platform that tracks the ICS digital footprint.

Any new activities within the ICS environment need to be understood and captured. All unplanned and unscheduled downtime should be documented, response and recovery should be known. PLC changes should never go unnoticed. The “ghost in the machine” –  should rarely be the known cause for unexpected outages.

5. Parallel reporting for IT, OT, ICS

Reporting also should run parallel. If IT is reporting on IT system performance, they should apply similar roles and activities in relation to ICS on the OT side of the business. Digital functions related to ICS equipment need to be captured, traced, logged, audited and baselined with no exceptions.

The same incident and response to a safety issue cannot go unnoticed, undocumented or ignored. If someone gets hurt or killed or serious damage is caused, everything stops to determine what happened. If a person is hurt, investigations must take place to determine what happened. Complete drug tests, re-enactment, study faulty equipment, determine whether processes, policy and procedures were followed and anything else to help determine the cause.

IT, OT departments can learn from each other

OT can learn a lot from IT relating to cybersecurity, practices, policies, procedures, technology and operations. OT can no longer look the other way and put the responsibility for production and plant floor safety into the hands of people who are 2, 3, 4 or more steps away from the plant floor operations.

CEOs who sign off stipulating they are doing everything in their power to keep their organization safe, need to understand they are not being told the whole story of the state of cybersecurity relating to their ICS. The CEO should not be naïve to think or believe their IT organization has all the digital safety bases covered for the entire company, especially if they are responsible for a company in the manufacturing or critical infrastructure sectors. The CEO is and will be held accountable if the worst-case scenario unfolds in one of their facilities and someone is hurt, killed or creates an environmental hazard.

There is no excuse today for any organization not to be fully protected because the technology and tools exist across IT and OT. The OT department needs to take full responsibility for protecting ICS equipment from adverse events whether through human error or nefarious actors. On the flip side, the IT department must get closer to plant floor operations to help determine what cyber technologies, procedure and policies are the best fit for ICS, working with their OT counterparts.

The ultimate question every organization needs to ask themselves is, are we applying the same or similar technologies, governance, policies and procedures, and due diligence to our OT production environment as we are for the enterprise environment? And if not, why not?

Dino Busalachi is chief technology officer and co-founder of Velta Technology, a CFE Media and Technology content partner. Edited by Chris Vavra, web content manager, CFE Media and Technology, cvavra@cfemedia.com.

MORE ANSWERS

Keywords: IT/OT convergence, plant safety

ONLINE

See additional cybersecurity stories at www.industrialcybersecuritypulse.com

CONSIDER THIS

How are IT and OT collaborating at your facility?

Do you have experience and expertise with the topics mentioned in this content? You should consider contributing to our CFE Media editorial team and getting the recognition you and your company deserve. Click here to start this process.