Bridging the IT & OT Divide
Why is it important to bridge the gap between IT and OT department?
In the past decade, though IT and operations technology (OT) appear to be working together more frequently than in the past, they’re still far from being a united team, according to Automation World’s latest reader survey which claimed Fewer than 10 percent of companies have combined their IT and OT departments.
Let’s say your organization has decided to invest in securing their industrial control systems due to an incident in their OT network or to rip the benefits of digital transformation and industrial 4.0. Who would be in charge? IT department or OT department?
The problem is, neither one of these departments has full exposure and experience on what the other department is doing which normally leads to many disputes over the approach and selecting the right vendors and partners.
Although larger organizations started to hire for positions like OT security manager or Digital Transformation Officer who directly report to the CISO or CFO, but in reality, majority of companies do not have this intermediately role.
The IT security folks have a pretty good idea on main players in IT domain and often lack the experience on the OT companies. On the other hand, cyber security is such a new topic for industrial engineers on the operation side. As a result, it’s recommended to take he following approach:
Hire a hybrid OT security firm
By hybrid we don’t mean consultant with IT and OT experience. What we mean is a firm who can provide OT security engineers along side with mechanical or industrial engineers with years of cyber security experience. They are able to speak the language of both department and they understand the mandates set.
Assess your OT network
Start by assessing your industrial network to create a snap shot of your organization’s security posture. A risk assessment conducted by a focused OT security consultant can provide a roadmap for your organization’s cyber security priorities and needs.
Improving an organization’s security posture requires making number of joint decisions between IT and OT staff and often each team has it’s own preferences on technology, approach and who they trust to work with. These team differences create some tensions and often becomes personal. Having a 3rd party consultant who can relay those differences of opinion and interpret them into business objectives, costs and benefits, can significantly each and speed up the process.
The OT team generally critiques the IT team for not having the technological understanding of the production process. From their side, the IT team complains that OT has a too narrow vision that prevents them from seeing the bigger picture. Here is a great article about cultural differences.
There is no clear-cut solution to bridge the historic divide between OT and IT. Likely, integrating OT and IT will require organisational changes that will take time. At the end of the day, technological progress cannot be stopped. On the contrary, its pace will only increase.
The divide between IT and OT will continue to grow and there is a serious need to bridge the gap between the two, either by hiring a C level manager or a 3rd party consultant, at least to kick-start the cyber security process and reaching and acceptable level.