PodChats for FutureIoT: Securing IT-OT convergence – Technologist
We tend to be familiar with “Information Technology” and the efforts organisations put to secure the data, applications, and systems we refer to IT.
Operational Technology is less understood and only with the adoption of IoT, and more importantly, the attacks on infrastructure critical systems have the issue of securing OT become a point of contention starting with those is responsible for IT-OT or OT-IT converged systems.
The implication of convergence to business
Richard Farrell, Eaton Asia-Pacific director for Cloud, Data and Digitalization, is quick to remind us of what constitutes information technology (IT) comprise of servers, storage, switches, routers, and software.
He goes to remind us of that operational technology as what is typically associated with facilities or commercial buildings, power generators, chillers, lighting systems, as well as SCADA software systems.
Is it convergence or integration?
Most discussions involving both IT and OT tend to use the term convergence. So, when FutureCIO asked Farrell for his opinion, he acknowledged that ‘integration’ is not something he is asked on the subject. He conceded that convergence has become a buzz term, losing its meaning in the process.
For Farrell, the discussion is more than just the technology itself. He believed that it is about bringing the two, IT and OT, together. It is also about the people that have traditionally been associated with each technology.
“To make that convergence is to bring these people together for governance and cultural purpose to have a common purpose. The integration for me is probably more on the technical side of things. How do we integrate our IT and OT systems? How do we integrate those and how do we converge teams to work together?” he opined.
Influence of 5G on IT-OT
At a compound annual growth rate of over 46%, Farrell says 5G is one of those technologies that are ‘smashing the IT and OT worlds together’. He opined that 5G is an enabler of the growth of IoT.
“Think about what the Internet of Things is. It’s a bunch of sensors that are gathering data and transporting that data to the internet. It is transporting back and forth, whether it be in the storage, back to the sensors, lots of lots of information, you know, coming in. The transport mechanism is 5G. And because this 5G is super quick, that’s going to transport even more masses of data,” he continued.
He is quick to remind that the growth is not exclusive, not strictly IT or OT or IoT or Industrial Internet of Things – as both benefits from the connectivity that 5G enables.
“You are going to find that a lot of the information that is used in IT systems is going to be used to operate more efficiently, the Operational Technology systems. And vice versa, all that data we’re getting through the Internet of Things, and 5G being an enabler, is going to send all the information back to IT networks works as well,” he elaborated.
He believes these things are going to be smashed together, but it’s going to be IoT and 5G that are rapidly, rapidly growing in the region, which is going to be the enabler for this.
Holistic IT-OT cybersecurity programme
Asked for his recommendation on best practices for a holistic IT-OT cybersecurity programme, Farrell suggests a better approach is cybersecurity lifecycle service. It is not about fixing the problem only once, and it is fixed forever.
“We strongly advocate having a lifecycle service, meaning regularly assessing and auditing physical and virtual networks,” he added. He was emphasized that network is one network as IT and OT are interconnected today.
“If you do an assessment, you can do asset management checks –checking what is physically and virtually connected to your network. It is having somebody who knows how to do this, comes out, sniffs around your network, walks around your facilities, and with the help of the local IT and OT teams map out all those devices virtually and physically that are connected,” he elaborated.
You don’t know what you don’t know!
He also advocated thinking like a customer.
“The last thing you want to do is suddenly start to think you are having an attack or denial of service attack, and you have no idea what device is being affected, or where it is originating from. So, the simple thing first – know what’s connected to your network, physically and virtually,” he reiterated.
“What does a customer want? Customers want everything as a service. They want everything to be cloud-based. They want it to be accessible 24/7. They want to have zero security risks when they do it, and they want to know who is accessing the data, and they want to know what to do with that data,” he continued.
Assume that the customer can see the data, will it help them make facilities operate more efficiently? How does this attach back into the IT world?
“The reason we say everything as a service is because at the end of the day, anything as a service is going to live in the cloud, and it’s going to have security vulnerabilities, right? If we look at just one, just something in isolation on the OT network, or something in isolation on the IT network, we’re not looking at everything. So, look at everything as a service in there, and how that affects the organisation,” he explained.
Lastly, he believes that best practice is about people and psychology.
“It is a mixture of convergence and integration. You want one team that is working together for one goal. Whether you have operational people sitting in your IT team, or IT people sitting in your operations team, whichever way it may be – you have got to have the right governance in place,” he explained.
Having the right culture – of ‘us’ and not ‘them’ in place will be important in this IT-OT connected world.
“As these technologies integrate more, and they converge more, as well, there is probably not going to be an IT person. There is probably not going to be an operations person. They are just going to be the network security people in general,” he concluded.
Click on the PodChats to listen to Farrell offer his expertise and opinion on IT-OT convergence.
- What is IT-OT convergence? What are the implications for businesses?
- Should it be considered IT-OT convergence or IT-OT integration?
- How has the growing adoption of 5G and IoT technologies led to the convergence (integration) of IT and OT systems?
- How should these be connected to the IT systems be secured?
- Please name 3 best practices for a holistic IT/OT cybersecurity programme?