Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Securing IT-OT Environments: Why IT Security Professionals Struggle

When providing cybersecurity in converged IT and operational technology environments, it’s critical for infosec pros to understand the differences between the two and utilize a toolset that delivers a comprehensive picture of both in a single view.

If your organization has IT and operational technology (OT) environments, it’s virtually guaranteed that they’re converged, even if you don’t realize it. Gone are the days when OT was air-gapped. Instead, connectivity is delivered through the IT infrastructure, thereby leaving the door wide open for adversaries to reach critical OT infrastructure. And, based on our experience working with organizations around the globe, we believe that IT devices account for approximately half of what’s found in an OT environment these days, making it nearly impossible to draw a hard line between the two.

As a result, an increasing number of IT security professionals suddenly find themselves managing the security program for both environments ― and many are at a complete loss as to where to even start. That’s because IT and OT environments were built differently from the ground up. Consider this comparison:

Comparing IT and OT environments                             

Attribute IT OT
Control Centralized Zone-based
Connectivity Any-to-any Context-based (hierarchical)
Focus Top-down ― operations and systems required to run the business Bottom-up ― plant, processes and equipment required to operate and support the business
Reach Global wide area network (WAN) Local area network (LAN)
Network posture CIA ― confidentiality, integrity, availability AIC ― availability, integrity, confidentiality
Response to attacks Quarantine/shut down to mitigate Non-stop operations/mission critical (never stop, even if breached)
Biggest fear Network intrusion Reduced safety; loss of view/control
Level of cybersecurity maturity High Low
Weakness Stringent security controls Insecure behavior

Source: Tenable, December 2021

So where do you even start? A great first step is to understand the differences highlighted in the table above and consider how those differences might affect attitudes, beliefs and, ultimately, security decisions.

What’s in a name?

The word “security” takes on a different meaning in an OT environment. I will be forever grateful to a friend and former colleague of mine who saved me from making a fool of myself in front of 100 OT practitioners when I was just getting started in IT/OT security. I was reviewing my presentation with her prior to a talk I was preparing to deliver to this audience. In it, my plan was to tell them that OT practitioners needed to start paying attention to, and really prioritizing, security. She explained to me that the OT audience would react negatively to this message. They already consider security to be at the heart of everything they do. So, what was the problem? I was defining “security” in the context of my IT experience, meaning cybersecurity. In the OT world, “security” means safety and physical security. So, one word with vastly different meanings.

Why do IT and OT professionals view “security” so differently?

In IT, data is king, so it stands to reason that the biggest security fear is that there could be a network breach. An adversary gaining access to the network can damage the integrity of the data, exfiltrate it, or even lock it up so that it can’t be accessed by the organization. In contrast, OT environments are inherently more physically dangerous, so the biggest fear is that there could be an accident that disrupts critical operations and possibly jeopardizes employee safety, or that of the community. As a result, OT professionals are highly driven to manage an “always-on” operation, as well as to maintain a high degree of safety ― and, by extension, the physical security controls of the environment.

Vastly different structures

With that background in mind, the rest of the table starts to make a lot more sense. IT security professionals opt for centralized control, providing an infrastructure that can conceivably be used to permit any asset or person to access any other asset, or any data, anywhere on the network. These are wide area networks (WAN) housing the systems and processes required to run the business.

Conversely, OT environments are designed with a great deal more privacy and limited control in mind. These highly segmented environments make it impossible for authorized people and assets to access other assets that are outside their purview. These are local area networks (LAN) that house systems and processes that support the business. Most of these devices are intended to only communicate with other devices within their zone and not with the outside world.

Differing viewpoints

Given their disparate network topologies and definitions of what it means to be secure, it shouldn’t be surprising that the priorities of OT and IT security groups, and their reactions to attacks, are at polar opposites, even within the same organization. While IT security professionals prioritize their world in the form of C-I-A (confidentiality, integrity, availability), OT professionals take the diametric opposite perspective, prioritizing their world as A-I-C. As mentioned above, for IT security, data is absolutely the most important thing, so ensuring its confidentiality and integrity will trump availability every time. But for a safety-conscious OT professional, the operations must always be available to ensure that the environment runs smoothly and without failures that have the potential to lead to catastrophes.

What do these different priorities look like in action? In the event of an attack, IT security pros will quarantine and shut down the affected systems as quickly as possible in an attempt to contain the problem and minimize any data leakage. OT, however, will take the opposite approach by keeping the critical infrastructure running at all times. The only deviation from this strategy, of course, is if the attack causes OT devices to malfunction and possibly present a danger to the business, its employees, or the surrounding community.

Variety of tools

Arguably the biggest challenge faced by IT security professionals as they attempt to get their arms around OT security is the fact that many of their traditional IT security tools don’t work in an OT environment. In fact, the most basic IT security tool of all ― the scanner ― can actually crash an OT network. So, you need to be sure to choose a scanner that’s proven in an OT environment. But then you run the risk of having two sets of security tools, one for each environment. While this will certainly help ensure that you have the right tools for each job, it can become challenging, at best, when it comes to managing them all, and ensuring that your staff is trained to use them all properly.

Then comes the true complication ― figuring out how to merge all of the disparate data, from the two completely different environments, into one dashboard so that you can view all assets and prioritize all security issues across your entire attack surface. Without this ability to comprehensively view and assess all environments across the extended attack surface in a single, fully-integrated solution, your team will spend exponentially more time understanding the full security picture. Plus, you run the very real risk of missing major security issues.

The bottom line

If you’re responsible for managing the security program for a converged IT/OT network, it’s absolutely essential that you understand the differences and unique challenges of an OT environment. And just as importantly, take care to ensure that you’re utilizing the right security tools for the job ― those that will support an OT environment, and that fully integrate with complementary IT security tools, to deliver a comprehensive picture of the organization’s security landscape. Then, from a people and process perspective:

  • Ensure that your IT security professionals meet with the OT leaders to truly understand the inherent differences that are unique to OT environments.
  • Take the time to truly understand the needs and priorities of of OT ― and why they’re important ― rather than pushing IT security philosophies on them.
  • Understand that OT environments have only experienced outside connectivity for a relatively short period of time, so OT leaders are still at the beginning phases of security maturity.
  • Winning hearts and minds is essential, so be open to phasing in changes, rather than pushing for the “ideal” security solution overnight.

Learn more

Related Articles

Are You Vulnerable to the Latest Exploits?

Enter your email to receive the latest cyber exposure alerts in your inbox.

tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now

Try Tenable.io Web Application Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable.io Container Security

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Try Tenable Lumin

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable.cs

Enjoy full access to detect and fix cloud infrastructure misconfigurations and view runtime vulnerabilities. Sign up for your free trial now.

Contact a Sales Rep to Buy Tenable.cs

Contact a Sales Representative to learn more about Tenable.cs Cloud Security and see how easy it is to onboard your cloud accounts and get visibility into both cloud misconfigurations and vulnerabilities within minutes.

Try Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save.

Add Support