I’d encourage loyal readers to check out the comments on the recent OT is Mission Critical IT article. Some are better written than my original article and others highlight the problem.

Jake writes:

Most IT departments would take “mission critical” to mean do lots of backups and patch aggressively.

This is a likely true from Jake’s experience of IT departments within his organization and many of his peers. Most involved with ICS have probably never come in contact with a high value IT system with stringent availability, integrity and confidentiality requirements. The concept of the help desk being responsible for ICS uptime is terrifying.

Ian writes:

In my experience Mission critical IT systems are supported very very differently from the normal desktop environment. I believe that most of us in OT security could learn a great deal from mission critical IT.

Mission critical systems (there’s a clue in the name) have specific requirements for confidentiality, availability and integrity. The idea that a mission critical systems such as, say, a financial trading system can be patched aggressively is just crazy. These systems have extremely stringent availability and integrity requirements, outages cost $MMM’s (again they are mission critical).

There are other gems in the comments, but it is clear that the understanding that OT is Mission Critical IT is based on your exposure to real high value IT systems. We need to cross pollinate better.

One area where you see a convergence is the control systems that monitor and control data centers.