[EDITORS NOTE]: This article originally appeared on Mike Hamilton's monthly blog on CSO Online.
I’ve written previously on the emergence of security as a competitive differentiator, and how that trend is helping both consumers, businesses, and society at large.
To summarize, companies are recognizing the power of promoting the security of their products; consumers are responding favorably when a product comes out of the box free from known security defects. Concurrently, businesses and the public sector are choosing 3rd party providers that promote secure deployment, as well as maintenance plans to address the future vulnerabilities and security flaws with patches, updates, and revisions. This trend is forcing the market to move the security needle. And when capitalist businesses see a favorable return on security investments, they will do more, not because they are mission-driven, but because they want your money.
Those of us in information security serving both the public and private sector still see this as a win—no matter the reason, it’s the needed shift we need for a safer society.
In a recent engagement for a public-sector organization that will, for the time being, remain un-named, CI Security put this idea to work around the framework of public sector operations. By integrating everything under the umbrella of operations, including information technology, operational technology (OT) in utilities, and internet-of-things (IoT) technologies, we can secure and enable “smart city” efficiencies.
Let’s explore why this is the critical path for all organizations and communities to a more secure future in a hyper-technological world.
OT and IT Staff Are Inherently Different
Historically, staff tasked with OT management have come up through the trades. Because these are water, energy, dam, waste-treatment, and other operations mainly associated with public utilities, employees are represented by unions. These employees have matured through a completely different ecosystem than information technology professionals.
Just about anyone who has had to work with these two groups on a project can agree on two things: 1) there is generally poor coordination between IT and OT staff, and 2) there are typically two separate and different policies that address technologies. Some OT teams may even have policies pinned to regulatory requirements, such as energy sector operations.
OT teams are focused on managing technology elements of industrial control and SCADA (supervisory control and data acquisition) systems, such as programmable logic controllers (PLCs), human-machine interfaces (HMIs), “historians”, etc. These operational technologies suffer from the same issues as the IT operating systems and application servers on the IT side of the house. However, the impact of a disruption event due to a “cyber” attack on OT— which is becoming empirically more likely—is significant. These events could disrupt and impact everything from emergency management, restoration costs, and, worst case, loss of life.
Bridging the OT-IT Gap
How can we all start speaking the same language, and addressing technology security on both sides of the IT/OT demarcation point?
First, note that policy underpins everything.
Without a set of rules on which to fall back, ambiguities on “who does what” will continue to exist, and the visibility needed into OT operations for the sake of security will continue to be opaque. Policies that apply organization-wide should address technology across the spectrum of operations, to specifically include procurement, contracting, and vulnerability management at a minimum. Policies that are specific to OT operations that are over and above these issues will, again, likely be driven by regulatory requirements; however, these technology security management issues can and should be applied universally.
Second, commit to full integration between OT and IT.
Once policy regarding these key issues has gone through the governance process and approved for promulgation, memoranda of understanding between the IT and OT groups may be used to delineate responsibilities. The components of security operations that address technology procurement, deployment and integration, administration and operational maintenance, security monitoring, and incident response must be covered. Note that these responsibilities extend to technology manufacturers, distributors, and integrators as well as the IT and OT staff in the organization.
Integrating and Preparing for IoT
With those preliminary steps mandated, organizations can better prepare items for the various IoT implementations and building plans underway.
The final mile is IoT integration into the overall security program. The reason is that IoT stands to greatly increase the existing attack surface presented to threat actors; whether it’s for automating traffic management, facility energy consumption, or a robotic manufacturing line, the bad guys have more ways to enter critical systems. One case in point is the recent story of the casino that was hacked through an aquarium thermostat.
If we do not adopt more aware practices in the way we create an expectation of security and in the way we buy, contract, deploy, maintain, and retire these technologies, we’re rolling out the red carpet for more records disclosure, theft, extortion, and disruption of operational continuity.
Let’s remember, we’re capitalists – and if you give companies a way to make more money by making it clear that we only buy products that have been tested, approved, and include security maintenance plans, those companies will rise to the occasion and work hard to get your business. And that trend will continue to move the security needle to a safer society.