'IT shouldn't tell OT they have an ugly baby,' says Anglo American CISO
How digital and physical infrastructure can work in harmony with operational technology
Operational technology and information technology can - and should - work together to improve security, said members of a panel speaking at Infosecurity Europe 2019 in London today.
"Traditionally IT will be looking at confidentiality as their main concern, and OT will be looking at operational resilience and availability - that's a legacy set of priorities," said Matt Gordon-Smith, CISO of mining giant Anglo American.
They don't need security people coming in and telling them they have an ugly baby
"But with the inter-connection with networks and environments, a lot of those factors are merged. People are trying to attack these assets and have a much greater inter-connectibility, putting it in environments where, potentially, competitors and other people of interest may want to get access," said Gordon-Smith.
"Operational technology is built to a very specific environment," he said, adding that the last thing OT professionals want is IT people coming in with their own entrenched views. "They don't need security people coming in and telling them they have an ugly baby," he said.
"Ensure you engage on an even level, and don't just tell them what's wrong. It's a pet versus cattle thing," added Nuclear Decommissioning Authority CISO Gavin Ellis.
The place we've been in with OT isn't necessarily secure. Ignorance isn't necessarily bliss
"That's more likely to happen in OT, as if it's a submarine or an aircraft carrier you have people who are more likely to have worked on it for 20 years before it's ready to go live."
Ellis suggested a good way to collaborate between IT and OT is with user stories.
"If you're risk-focused you can get IT and OT teams to look at which threats they prioritise defending," he said, explaining how just hearing each other's side of the story can enrich personally-held views.
Head of IS at Thames Water, Shawn Scott, pointed out the different view on "high" and "zero" trust in each professionals' environment.
"An external IT contractor can come right in and plug in" to an OT environment, he said, despite these environments being considered "zero trust" in OT terms.
Computing's Cloud Excellence Awards return on the 19th September 2019, recognising the very best of cloud computing in the UK across end users, suppliers and products. Who is the Cloud Architect of the Year? What is the Best Cloud Development Platform? And who is the Cloud Entrepreneur of the Year. Entry is FREE - the deadline is Friday 28th June.
"In the IT world they'd think the opposite - the instance of someone bringing a strange computer into your environment is just horrible for an IT professional," said Scott. "You need assurances on both sides everyone is comfortable with what's happening."
But OT and IT can, ultimately, get along, Ellis argued. Apart from anything else, in the modern world, they need to.
"I think they have to. The place we've been in with OT isn't necessarily secure. Ignorance isn't necessarily bliss. We can't keep networks isolated - people will plug in and then whatever nasties are on the laptops are on the network. There wasn't a golden age of OT we lived in."
We can't have rose-tinted spectacles for how it was in the past
Ellis cited new operating systems such as Chromium and Android - low-powered devices which can work in OT environments "we can make best use of".
Ellis also pointed out that organisational boards in OT now want "the latest data on productivity from their systems, or suppliers who don't want to send out the guy with the magic laptop to fix your OT systems" - not least because those people are expensive.
Also, though, because the employers of such consultants don't want to be the ones to introduce problems onto a network linked to national critical infrastructure.
"We can't have rose-tinted spectacles for how it was in the past," concluded Ellis.
Computing and CRN have united to present the Women in Tech Festival UK 2019, on 17 September in London.
The event will celebrate successful women in the IT industry, enabling attendes to hear about, and to share, personal experiences of professional journeys and challenges.
Whether you're the ‘Next Generation', an ‘Inspirational Leader', or an ‘Innovator of Tech' this event will offer inspiration on not only how to improve yourself, but how to help others too. The event is FREE for qualifying IT pros, but places will go fast