By Gregory Hale
Gary Williams knows one answer to the IT-OT security schism.
Williams, the Schneider Electric Senior Director of Technology, Cyber Security and Communications, found a case where IT and OT were not working well together so the manufacturer sent IT and OT practitioners to school to learn about each other’s area of expertise.
“They sent their IT people on the GICSP, which is based on OT, and their OT people to a basic IT course and what that enabled was for both to use the same vocabulary.” Williams said. GICSP (Global Industrial Control System Professional) is a global certification focused on the essential knowledge of securing critical infrastructure assets. “Now, speaking in a common language, they are making inroads into the challenge presented by IT and OT. The challenge truthfully is caused by IT who have been inherently built into the culture dealing with systems giving information on a daily basis. OT is more conservative and they are unaware of the current threats and they are not really sure they know how to address it.”
• Preparing for the IIoT, exploring the impact
“What we have is a mismatch in environments,” said Andrew Kling, Director of Cybersecurity and Architecture at Schneider Electric. “It’s a mismatch in products executing in the environments; the environment is changing very fast, but the products in those environments aren’t. At the plant level, the cyber environment is evolving at a very rapid pace, but the technology inside is not. For a user to say they are going to keep up with the evolutionary speed of the cyber realities of the world, would be a significant statement, not even necessarily feasible from a business standpoint.
“We are going to have to make our products flexible enough to keep up with the changing environment. We need PLCs that are intrinsically secure from the beginning, as well as components, and firmware and other techniques that can be added– not bolted on– but added to the system.”
That changing environment means more sensors, more connections coming from across the Internet – in other words the Industrial Internet of Things (IIoT). If you look at A typical process plant cluster, which has around 40,000 sensors. Add IIoT on top of that and it will increase those numbers to something over like 250,000 sensors or more per plant.
“The ability to take real-time process control information and make it available at the business level so rapid decisions can be made is happening now,” Kling said. “We went from talking about it to delivering it in one year. It does start to bring new and different challenges because as you try to integrate some of the business-level awareness of what is going on at the process control level, you have to account for it in your cyber security solution.”
IIoT will help solve key business issues all plants face in terms of production efficiency, process reliability and safety, along with moving ancient legacy systems into the new age. But because of the sheer volume, it is forcing IT and OT to work together to enable the manufacturer to take advantage of all things new technology and connectivity bring.
“You have to understand the business outcome,” said Caglayan Arkan, general manager of Microsoft’s worldwide manufacturing and resources sector enterprise and partner group during a panel discussion at an industry conference.
“It is about humans working together,” said Jeff Reed, senior vice president and general manager, Enterprise Infrastructure and Solutions, Cisco, at the same conference. “It is really about getting the teams together and ensuring security. IT and OT need to work together, and manufacturing needs to help bridge that divide.”
IT-OT Security Levels
It is easy to say IT security is years ahead of OT, and the manufacturing sector can learn from that. While that is true, Williams has a different perspective.
“From an OT perspective the security is probably better now than it has ever been,” he said. “We are using active directory; we have mechanisms that can provide patches and antivirus updates; we now use role-based access control, we have host-intrusion detection systems. From an OT perspective, they have come a long way in a short period of time. You can say they are behind IT, but the drivers for IT are totally different than OT.”
“The ability to take real-time process control information and make it available at the business level so rapid decisions can be made is happening now … we went from talking about it to delivering it in one year.”
— Andrew Kling , Schneider Electric
Changing an email server will probably take about 10 hours but if it is down for that amount of time, it will only affect the mail. From an OT perspective, Williams said, “it can’t even be down for one hour because it is going to interrupt productivity. That is when you start hearing conversations about redundancy or virtual environments which are methodologies we can use to test the latest patch or update which will not have any detrimental effect to the operation that is currently running. So, they are not behind, they just have different cultures and they have different drivers.”
Meeting of the Minds
When it comes to IT-OT convergence, you can go to school and know there has to be a “meeting of the minds” between the two, but it will take some time.
“There will still be the old time OT mindset in place,” Kling said. “Think about if there were a revolutionary process control idea that would double your production and raise your profits, would it be accepted tomorrow? No, it would not. It would take years for acceptance. It is the same thing for IT-OT convergence. OT is not going to react that fast. But, here is the big one. We know there is a rapid drain on OT skill and it will be replaced with new blood coming into the marketplace. People growing up with laptops under their arms, with tablets in this connected world. It will take a little bit of time, but the new entrants into the marketplace will bring the new opportunities for adoption.”
Gregory Hale is the Editor/Founder of Industrial Safety and Security Source (ISSSource.com).