IT, OT, and the Human Factor
Mitigating Risks In An OT Environment – A Follow Up.
Talking about risk assessment in an OT environment can be daunting. Perhaps because of the complexity of the subject, many prefer to look away and leave the matter to the specialists. Fair enough. But whether we like it or not, playing an active role in defending businesses from cyber threats is not only up to those wearing a fancy ‘CISO’ badge. If anything, this mentality leads to dangerous and, unfortunately, very common mistakes that contribute directly to the hackers’ triumph, and not to our protection.
Speaking of hackers; associating cyber threats to the image of attackers accessing systems from dark basements seems now like an old-fashioned–albeit still scary-picture. It’s time to paint new ones that include those being attacked not only as powerless victims, but as having an active role in preventing such threats from happening again.
The IT-OT discussion
SeQure World Magazine recently published an article where it asked: Is the IT-OT Bridge the Achilles’ heel of industrial cyber security? OT security experts from across Europe answered an indirect ‘yes’. But this answer quickly sparked discussion about why the IT-OT collaboration doesn’t have to –and shouldn’t- be a point of weakness, but of strength. What it needs, is improvement.
How to achieve such strength is the golden question up for debate. In this follow-up article, we invited experts from other parts of the world to join the conversation. In the pursuit of stronger cyber security, some argue that IT and OT should remain segregated departments. Meanwhile, others think IT and OT should merge together.
Elliot Forsyth, VP of Business Operations at Michigan Manufacturing Technology Center, was kind enough to provide a different perspective from our previous article. He suggests that IT and OT are merging, and that this calls for a unified security strategy to deal with both as one. Meanwhile, UI Labs, represented by Caralynn Collens, CEO, and Koushik Subramanian, CISO, suggest taking both IT and OT into account while striving to maintain a slight shift in methodologies to respond to each system’s particularities. And while there is an IT-OT discussion going on, what can we actually do to prevent further endangering our companies?
Not a one-man job
Let’s start with the one thing we can all agree on: “Cybersecurity is no longer optional- it’s a necessity for business survival”, to put it in Elliot’s words. This might sound obvious enough for those already scared of –and scarred by- terrifying data breach numbers, such as the 179 million records exposed in the US in 2017 alone (Statista).
Businesses are embracing technologies that affect every aspect of their operations and daily life. It is only fair that every employee, from every level of the organization, is actively involved in the transformations taking place. Surely this involvement includes reaping the rewards of comfort and efficiency. But it should also imply an increased responsibility in everyday activities -even underestimated ones, such as accessing a corporate email account. Does this sound obvious? Unfortunately, evidence suggests that it isn’t.
Friend, Foe, or Faux? The human factor in mitigating risks
When discussing risk mitigation, the human factor must be acknowledged for its possibility to protect and prevent, not just attack. “Employees within a company may not be aware that they are responsible for the majority of security breaches that occur. In fact, more than 61% of cyber-attacks involve end users, or inside users who have access to sensitive data as a part of their jobs. Additionally, 63% of attacks stem from password breaches due to employees using weak or default passwords” (Elliot). Whether maliciously or due to blissful ignorance, “cybersecurity threats caused by employees are damaging and expose your business to serious vulnerabilities’, explains Elliot.
To stop this trend, keeping cybersecurity policies top of mind through ongoing training is recommended. Recognizing that employees are part of a business’ line of defence isn’t enough. They then need to be educated, trained, and motivated to act accordingly. And this is the surprisingly challenging bit. Surprising because you’d think that being safe is in everyone’s interest and shouldn’t require more motivation than that. But it does. People just want to get their jobs done. Some either don’t know or easily forget what impact a cyber threat can have on their work in the long-run. Adopting and sticking to security measures requires time, effort, and motivation to keep going.
Forbes Technology Council wrote about gaining employee compliance on cybersecurity procedures by, for example, making ‘cyber threats’ a more relatable problem. Training and education should illustrate how attacks can affect the business just as well as personal lives.
Even for experts, the subject of cyber security is not exactly straight-forward. Risk mitigation strategies seem to be constantly adapting, improving, and innovating. Keeping up with the implications of interconnectivity between devices and systems, for example, is one of the factors imprinting an expiry date into some existing approaches to risk mitigation for OT environments. So, if things are constantly evolving, it is no surprise that how to achieve a comprehensive cyber security strategy is continuously up for discussion. If a universal and simple solution existed, this article wouldn’t be written, and hackers probably wouldn’t be getting so rich.
The matter gets even more complicated on an industrial scale that encompasses both IT and OT systems, such as within the Manufacturing Industry. In our previous article, the interviewees agreed that IT and OT should never be treated as one and the same. But they also agreed that collaboration and communication between these departments are key for achieving a successful risk mitigation strategy that benefits the company as a whole. Similarly, but much more radically against the idea of an IT-OT bridge, some security professionals dismiss the IT-OT convergence as something unnecessary and risky. They defend that IT and OT should remain completely independent departments -with independent teams crafting independent security strategies.
On the other hand, there are those concerned with an exaggerated compartmentalization of functions. Elliot, for example, defends that “we need a common strategy across the enterprise and across players around the world. From a technological standpoint, they are already intertwined anyways”. He believes that striving for a common security approach might eventually push the boundaries of IT and OT integration. It is possible, he believes, that we’ll reach the point when treating both as one might be the way to develop stronger security strategies. “These systems are intertwined and their functionality within the company can’t be separated”, he concludes.
Another pro-convergence is Ascentor, the Independent Information Risk Management Consultancy whose list of clients includes the UK’s MoD. They’ve written that “even if the difference between IT and OT is clear (we are not sure it is, or that it really matters!), once OT and IT are interconnected, the risk boundaries are blurred –IT vulnerabilities can quickly become OT ones and vice versa. Acknowledging the convergence and managing the risks to avoid an uncontrolled collision is what really matters”… So, convergence or no convergence -that’s the question. Or is it?
Neither and both
UI Labs takes a more diplomatic approach: “Gone are the days in which security was only an IT problem. OT risk assessments are growing in adoption and capability. Their continued development will give much more visibility to the potential risks that OT systems could introduce. Assessing OT systems requires a slight shift in methodology and scoring, as they differ from IT Technology. But we are starting to see holistic assessment offerings for the manufacturing base that take both IT and OT into account”.
While the IT-OT collaboration challenge is being debated by specialists, perhaps we should go back to the question posed at the beginning of this article: and what can I do? The benefits of establishing a successful cross-departmental collaboration between people within the office seems to be a rare point of agreement in this discussion. So, perhaps one of the few things we can do for now is focus on that. Uniting professionals with different expertise, experiences, challenges, and priorities might seem like a lot of work. But, as the saying goes, there is nothing like a common enemy to unite people.
Increasing diversity in the risk mitigation agenda could help shine more creative lights on a problem that no one knows exactly how to solve and that affects everyone. So with this in mind, let us all take a bit of responsibility when it comes to risk mitigation. Sure, the CISO will keep his badge and continue to be a point of reference with huge responsibilities. But, as employees and manufacturers, we could at least think twice before opening the next email that pops up on our screen. And while we’re at it, might as well start reading some of the IT-OT discussions taking place online. There might be no universal solution out there yet, but there are a few very good ideas that might just happen to contribute to your business’ risk mitigation journey.
This conversation will continue. Elliot and Caralynn will be speaking at ManuSec USA, taking place in Chicago October 9th and 10th 2018. Find out more at: https://www.manusecevent.com/usa/
Written by Paula Magal, Copywriter at Qatalyst Global and Technology Journalist for seQure.World
Thank you Elliot at Michigan Manufacturing Technology Center; and Caralynn, Koushik, and Alyssa at UI LABS, for your crucial participation in this article.
Mentioned external links: