The Tripwire team asked a number of people for 100 words on the following questions:

How does the IoT change the dynamics between IT and OT? What practical tips can you provide for working together effectively?

You can read the full set of responses in this linked article, but here was my answer:

The OT is different than IT fallacy stems from ICS professionals comparing OT to desktop management.

OT is mission critical IT. The areas where OT differs from highly secure and reliable mission critical IT systems are deficiencies in OT rather than differences in requirements, such as insecure by design protocols, equipment deployed incorrectly, lack of trained staff for deployed technologies, insufficient test environments, run to fail maintenance philosophy …

The looming insecurity of IoT is much more of a concern for end users than traditional ICS as long as you don’t fall for the everything must talk to everything myth.

100 words is quite constraining, so here is a bit more. I’d challenge you to ask HOW? whenever you hear IT is different than OT.

You will hear that OT is often controlling a critical process with potentially large impacts to human safety, critical services and the environment while IT is not. This is the reason driving availability and integrity requirements of the OT and does not represent a difference from how OT will meet these requirements. Many mission critical IT networks have as high or higher availability requirements than OT.

You will hear about patching, upgrades and other IT cyber maintenance activities that are performed without testing or coordination with the system users. This is true in corporate desktop management and non-critical servers. It is not the case for a mission critical IT system where the company can tell you the cost per minute of downtime.

The sad truth is the differences between mission critical IT and OT are due to the acceptance of a lack of availability, integrity and reliability by those running OT.

  • No source or data integrity … loyal readers know I’ve been beating the drum that the ICS protocols lack integrity. Access = control or compromise. Mission critical IT uses secure protocols.
  • Lack of trained staff for deployed technology … this is also tied to incorrectly deployed equipment. Example: the lead article of the ICS-CERT Monitor highlights the crack team being sent out to analyze “the router and switch configurations and found an error in how the spanning-tree protocol”. For years OT has been deploying Domain Controllers without trained Domain Admins and Cisco infrastructure without even basic CCNA Routing and Switching knowledge. Now sophisticated virtual environments are being deployed with the ICS vendors stating “don’t worry, you won’t need to touch it after its installed”. Mission critical IT insists on the right skill sets.
  • Lack of a test environment … not all OT fails in this, but it is still uncommon to see a realistic test environment for OT. Mission critical IT will have a test environment and a regression test for functionality before changes are moved to production.
  • Recovery … mission critical IT has well designed and tested recovery capability and can state with a high degree of confidence how long it will take to recover. OT relies heavily on redundancy that is of little help in a cyber incident.
  • Patches break applications … this actually happens in both OT and mission critical IT, but that is why both need to test thoroughly before deployment. The biggest difference is the mission critical IT vendor expects to need to patch and usually follows the OS and other vendor instructions on how to design apps. I’ll admit this is an area where many ICS vendors have greatly improved. Patch incompatibility is markedly decreased over the past 5 years.

I could go on and on, but the most important item is OT all too often has a run to fail maintenance philosophy. Install it and don’t touch it unless it stops working. This results increasing fragility and lowering of reliability that would not be accepted in mission critical IT.

I know that not all mission critical IT operations are perfect, but they are far ahead of OT.

We have worked with clients that rely on IT for OT, others that share the responsibilities, and even some Operations Groups that basically create a mission critical IT group. Any of these will work, but the key is you need the trained team with sufficient time and processes to run your OT like a mission critical IT system. The amount of money spent to run and maintain a mission critical IT system dwarfs what you see for even very critical OT systems. If your OT is so important to the organization it should not be difficult to get the appropriate funding.

Can you think of a single process or control in mission critical IT that would not apply to the IP or Ethernet portion of OT?