In our previous post, Why operational technology (OT) may be your cybersecurity achilles’ heel, we discussed how OT systems had been historically “closed” and that they have evolved over time to become more “open” and able to leverage common off-the-shelf IT technologies. With the advent of this industrywide shift, we identified a departmental clash between OT and IT personnel on how to best handle routine system maintenance and mitigate cybersecurity risks.
Safety is the primary goal of any OT process environment. From a people standpoint, OT personnel support this goal with daily safety briefings and performed Process Hazard Analysis (PHA) prior to making changes. This ensures that safety is always being considered before and after performing work.
On the machinery and technology side, safety is achieved with vendors who can deploy systems that are certified as being safe and secure. These systems are programmed to prevent unauthorized system changes that could lead to system downtime, or worse. This is all supported by a common phrase used by OT personnel: “Do no harm.”
We often hear OT professionals use this phrase as justification for why their systems are unable to be upgraded or patched. Why? Any changes might potentially infringe on the “do no harm” edict: Change could introduce instability or cause outages, and it’s more straightforward to maintain system health by simply preventing changes. This makes it difficult to innovate and digitize aging organizations, and that mindset hasn’t sat well with IT personnel.
IT typically takes a heavy-handed approach to force upgrades upon OT systems. But they do so without necessary planning and performing due diligence related to OT requirements and specific vendor tweaks. Oftentimes the result is a less-than-stellar upgrade experience or, even worse, unplanned system downtime. In short, “do no harm” actually leads to harm.
Experiences such as these further validate the OT’s rationale of “do no harm.” So, how do organizations break the cycle? Most OT-related cyberattacks such as Wannacry, Petya, and LockerGoga could have been prevented with basic system protection measures and maintenance such as antivirus, patching, and system hardening.
IT should strongly consider taking a vested interest in understanding the concerns and motivations of the OT group. Safety is paramount, and negative impact to productivity translates into lost dollars. Avoid actions that jeopardize either one. The OT group tends to have a more experienced workforce with incredible knowledge of the environment, so leverage them for insight, guidance, and opinions on how best to partner with them on managing their environment.
Work with OT vendors during cybersecurity program initiatives. Rather than installing corporate standard and assuming that machinery will continue to function correctly, approach the vendor and propose collaborative testing. More often than not, the vendor has seen your software package and knows the correct changes needed to allow proper functionality while maintaining overall system integrity and operation.
Understand the nuances between OT and IT, where separate policy development or governance processes would be valuable. Not every process works for both sides. It can be as simple as appropriate windows for taking downtime for system patching that coincide with production pauses, or large initiatives such as security vetting of new vendor systems before they are deployed in the OT environment.
Safety is paramount for any OT environment. But believing in the adage of “do no harm” does not mean “do nothing.” Proactive and regular maintenance of OT systems should be performed to support a strong cybersecurity strategy. Gaining a deep understanding of an OT environment, coordinating with vendors on changes, and acknowledging the subtle differences between IT and OT will lead to a better security posture and in turn, fewer outages when performing these changes.
Contact our cybersecurity team and let’s discuss your OT strategy.