Two weeks ago I wrote Not OT v IT … It’s OT & Engineering. While the article received a lot of positive comments, the most emphatic comments were from a small number of engineers and automation professionals who essentially said: We’ve got this. OT and all T just stay the heck out.
The glib response would be: scoreboard. Look at the state of OT and OT security over the past two decades under the control of engineers and automation professionals. Large swaths of multiple sectors with install and don’t touch because you might break it systems, commonplace run to fail maintenance, untrained personnel on key OT systems, insecure by design systems, …
There are surely exceptions that have appropriate OT cyber maintenance, skillsets and risk management. I’ve seen some that have gotten there after years of work, always through OT & engineer collaboration. Perhaps the commenters are the exceptions that have succeeded with only engineering and automation professionals doing everything.
I believe some of the pushback and anger had to do with the wrong inference that I was saying engineers and automation professionals lack the intelligence and ability to do OT work. This is not the case. Let me try an analogy with lawyers and CEOs.
The law, like OT and OT security, is a specialized field and area of knowledge. It can be learned by people with reasonable intelligence, a commitment to learning and continuing education. Most CEO’s have the ability to become lawyers, and many CEO’s began their careers as lawyers.
Almost never is the CEO the company’s lawyer. Even if they began their career as a lawyer, they have a legal department that handles legal matters. The CEO has a lot of responsibilities and can’t spend the time it takes to maintain their expertise and take on the role of the company’s legal counsel.
The CEO may endeavor to know more about the law so he can better understand, guide and evaluate the legal department’s work. The CEO doesn’t try to the legal work because this would mean not doing the CEO job.
Most engineers and automation professionals could learn and master designing, configuring, maintaining and securing an OT network infrastructure, Active Directory, a complex VMware environment, security solutions and more. They could spend their time on this … at the expense of doing the engineering and automation work that only people with those skills can do. Some have, in fact, transitioned from an engineer into a full time OT and OT security professional because they prefer this work.
Or the engineers and automation professionals could work with OT and OT security professionals to get the needed work done. They, the engineer and automation professional, are in fact the customer that sets the requirements. This is what I meant by OT & Engineering.
You might think we should flip the engineer to be the lawyer in this analogy, but I didn’t want to antagonize engineers by putting OT above them. We also could change it to lawyer and accountant because engineers / automation professionals are also specialized fields, but the overlap is less between these two roles.
In any event, engineers and automation professionals can clearly be great OT & OT security professionals if they spend the time learning and maintaining the skills. It is easier than getting an engineering degree. My suggestion is pick the role you like and know enough to work with the other roles.