It’s How Do We Best Build OT Teams & Programs

My last post, Best Raw Material for an Operations Technology (OT) Team, received many comments on LinkedIn. A lot of the discussion devolved into the old IT v. OT discussion, partially due to my flippantly writing “IT won”. This argument has always been miscast, as I’ll discuss further down in this article, but it importantly missed the point of the article.

We Need To Build OT and OT Security Talent and Teams. How Do We Best Accomplish This?

There is a dearth of OT and OT Security talent. Trying to hire OT / OT Security talent to form a team isn’t a good option, and this is why you are seeing so much movement in the small number of existing talent. So the question the previous article tackled was what is the best way to grow that talent quickly and in the numbers required. I won’t repeat the entire article here, but my contention is that it easier to teach and convert IT / IT Security talent to OT / OT Security talent than it is to convert engineers and automation professionals to OT / OT Security talent. Easier both in terms of finding a large talent pool that will embrace this new role and teaching the required skills, while understanding it will take time and effort to gain the business/process context to succeed in working with Operations.

I’m sympathetic to the argument that having engineering, automation and IT / IT Security skills makes the best OT / OT Security professional. There will be a small number of these superstars, but it will not scale to meet the OT / OT Security workforce demands.

There Wasn’t OT – It’s Being Built

The perennial IT v. OT discussion has never made any sense because there wasn’t OT. With few exceptions until recent years (and even today) integrators and vendors installed computers, devices, applications and networks in the manner they knew worked and had been doing for decades. Basic OT and OT Security practices were rarely considered. OT and OT Security were additional requirements that could slow down the project and cause things to not work properly.

Once the new ICS was deployed, the most common maintenance mode was, and perhaps still is, run to failure. Don’t touch the OT until it stops working or is being replaced. So for many years, the OT v. IT was really an argument to allow the continuation of run to failure maintenance. As asset owners began to understand they were arguing for run to failure maintenance, and this conflicted with their approach to their other critical assets, the need for OT became clear.

OT Is Necessary

Anyone with even a basic understanding of ICS understands and accepts the need for OT. Just like a company does not apply the same IT / IT Security processes and technology to employee desktops and mission critical assets, like e-commerce servers and ERP applications, ICS computers, devices, applications and networks need the IT processes and technology adapted to support their business requirements. And the community has settled on the term Operations Technology (OT).

The IT v. OT argument doesn’t make any sense today, and needs to be thrown out. Never to be mentioned again.

What Governance Structure Is Appropriate For OT?

This is the real question that people are arguing, and led to my writing “IT won” in the previous article. The big debate has been whether Operations or IT should be responsible for OT from a governance standpoint. Operations is clearly the customer for OT, Operations is held responsible and measured on the process performance (manufacturing numbers, delivery of water/power, refining capability, etc.) Operations also has the culture of solving problems and finding a way to make things work. It is truly amazing what the engineers, automation professionals, technicians and operators accomplish in making a complex process work with a small number of people. It actually is much more complex and difficult than OT and OT Security.

Given this mission and culture, it is natural for Operations to want to hold onto and control anything that could affect the mission, to be self-sufficient. It is a large reason why outside resources weren’t invited in to help with OT / OT Security for decades.

What is changing, and has changed already in many organizations, is that executive management is now aware of cyber related risk to their ICS and the product/service the ICS produces. It often is the reason the company exists and how they generate revenue. As soon as executive management becomes aware of the risk, they want their management and governance structure to manage that risk. This means it flows from the Board and CEO down to the CIO and CISO, who then look to their IT and IT Security teams to be responsible for computers, devices, applications and networks.

The CIO and CISO are not going to accept Operations or some other group outside of their purview to address a huge risk that the CEO and Board will hold them responsible for. This is why from a governance perspective, IT won.

OT is needed. It may be renamed, but it is needed. OT is / will be the responsibility of IT / IT Security as they fall under CIO / CISO. Operations is the customer of OT. And it is always important to meet your customer’s requirements.