Why Lingering IT/OT Divide Invites New Security Risks

IT and OT (operational technology) come from different worlds — IT is in charge of data, information technology and cyber security, while OT typically handles IoT, sensors and manufacturing. Their hardware is different, communications protocols are different, and culture and outlook are different.

That state of affairs means they are often at odds, putting your enterprise as risk. But it doesn’t need to be that way. What’s more, organizations reap clear security benefits by making sure they work together.

It’s all About Different Priorities

To really understand the IT/OT divide, you need to understand the different priorities that drive IT and OT, said Kunal Agarwal, general manager of the Internet of Things at Symantec.

“In an IT world, the priorities are all about productivity,” he said. “If a lot of the information technology systems that you use on a daily basis went down today, there really wouldn't be any huge business implications tomorrow. But in an OT world it's all about reliability. You’re in an industrial environment which needs to be up and running all the time. So, when you’re trying to secure an OT system, one of the biggest challenges you have is how you protect something without any chance of causing downtime.”

Another security-related difference between IT and OT, according to Agarwal, is that IT has combated cyber dangers for years. So, the dangers are well-known, as are the ways to combat them, including anti-malware, fraud protection and endpoint protection. But for OT, he said, the dangers are much newer, and the solutions aren’t that clear.

“It’s really the wild, wild west there and everyday it’s getting worse,” Agarwal said

His views are echoed by Don Pearson, chief strategy officer for Inductive Automation, which makes software for industrial automation, and works with both IT and OT. Pearson notes that even the data used by IT and OT are different.

“People on the IT side are using data at the enterprise level and they’re thinking in longer time periods — weeks, months and years,” he said. “But on the OT side, they’re working in real-time and looking at data measured in milliseconds.”

Another issue is that IT works with equipment and software that is widely standardized, such as Windows and PCs. OT, though, has to handle many different types of proprietary equipment. As a result, Travis Cox, Inductive Automation’s co-director of sales engineering, said IT typically works in a top-down manner to deal with all systems in a standard way. Meanwhile, OT works from the bottom-up, because people who directly handle the disparate pieces of equipment have the best hands-on knowledge about what works.

Bridging the IT/OT Divide

In the past, enterprises could survive the IT/OT divide, because IT and OT systems were largely separate. But with the advent of the IoT revolution, the gap needs to be bridged. Networks run by IT reach into factories, which have a mix of IT devices and hardware typically overseen by OT. If the two groups don’t come to a common agreement about how to handle security, breaches may be inevitable.

The problem is ingrained in many companies because enterprises rarely combine IT and OT into a single department. An Automation World survey in 2017 found that fewer than 10 percent of companies have combined their IT and OT departments. A full 24 percent of companies surveyed say the two departments “have very little if any interaction at all.”

Given that, how does one bridge the IT/OT divide? Agarwal said each side needs to gain the trust of stakeholders on the other side. He adds, “The number one thing is to not make assumptions. Because on both sides there are people in place who have kept the business running for a long time. Don’t come in and tell them they’ve been doing something wrong. Recognize that you’re coming in to learn.”

Only when trust has been gained that way can the two sides work properly together, he believes.

Cox believes that the IoT revolution will force IT and OT to work together more closely, because C-level executives will increasingly recognize that’s the only way they can transform the way their companies work in the IoT era.

And Pearson issues a warning: “There is a graveyard full of gravestones of corporations who didn't get with the program on previous technology transformations. Ultimately, it’s more about getting people to work together than it is about technology. There has to be C-level endorsement and IT and OT buy-in.”

Agarwal is optimistic that will happen.

“Enterprises everywhere are having IT/OT discussions today,” he said. “I’d say less than 20 percent of Symantec customers aren’t having them.” Given that, he said, he expects that the IT/OT divide will be bridged so that enterprises can keep both their IT and OT hardware and systems safe, up and running.