I spent the week in Singapore participating in CSA’s OTCEP event. While reduced from year’s past, there still were a number of slides and discussions how IT is different than OT. I’m not sure what’s more wrong in this discussion: straw man or lack of understanding of IT.
Straw Man – The number of people who think you should design, deploy, maintain and secure OT the same way as user desktops on the corporate network (what most mean by the term IT in this discussion) is tiny. This is no longer a revelation or in dispute.
Lack of Understanding of IT – IT is not a monolith where all applications / systems / networks are treated the same. IT has specialized teams to deal with unique technologies with unique requirements for availability, integrity and confidentiality. There are “IT” systems with as stringent, or more stringent, availability requirements as many OT environments. There are financial, health care, e-commerce, etc. systems that have dedicated teams in IT. And they have overcome similar battles saying IT can’t treat us like they do other desktop / server / general purposes employee apps.
OT is another specialized type of IT, or T. There is a growing field of OT professionals that have the T skills and can communicate and advise engineers and automation professionals.
The bigger issue in culture and organizational collisions is with OT & Engineering. There isn’t the clash as there was with IT / OT a decade ago. Rather it is a lack of interaction. Neither side is engaging the other to the degree necessary.
One easy way to look at this is with simple risk equation. Risk = Consequence x Likelihood. Engineering understands and can have the biggest impact on Consequence. OT understands and can have the biggest impact on Likelihood due to a cyber incident (and not just malicious cyber incidents).
There are a lot of benefits to OT & Engineering. Two big examples:
- OT can help engineering understand where they may have unwarranted certainty in their safety and protection measures. OT to Engineer: What’s the really bad things that can happen? How do you stop them from happening? And then OT looks to see if a cyber attack or incident could prevent that safety or protection from doing what the engineer thinks it will do.
- Engineering can help OT understand where reducing likelihood is important. In a world of limited resources, applying the growing set of “cyber hygiene” on all OT cyber assets in impractical. Engineers can help OT understand where they will result in the greatest risk reduction.
If both roles can approach the other with humility and appreciation of what they know and don’t know, there can be significant early wins and a beautiful friendship.