IT and OT Cultural Differences
Why It’s Imperative to Bridge the IT & OT Cultural Divide
We hear it all the time from security marketers and evangelists alike. “Information technology and operational technology are converging!” It’s a simplistic way of characterizing what is a highly complex web of digital transformations affecting a broad range of industries, from manufacturing to energy to real estate.
But the statement is only half true. IT and OT are converging or better said, integrating from a technology perspective, but the two disciplines are lagging from a governance and management perspective and there is a wide cultural gap between the two.
1. Time and availability
IT professionals operate in a 9-5 world, while OT is a 24/7 operation. IT functions with standard help desk tickets and network troubles that are addressed in a timely fashion in the order they’re received. Not so in OT’s world. Downtime means lost production and that translates into lost revenue by the minute. It’s all hands-on deck until the issue is resolved, or at least until a temporary fix is determined.
2. Shift in the priorities
The priorities amongst IT and OT teams are relatively polar. While IT operations revolve around the AIC triad (availability, integrity, and confidentiality), OT professionals value uptime and safety as their top priorities. When machines are down, every minute counts to mitigate the loss on a plant floor. Availability of equipment is not an emergency to IT where alternate printers or devices are readily available. By the same token, safety measures in a low-voltage environment are not relevant to someone in IT, but confidentiality becomes a major pain point in the event of a security breach. Real threats and vulnerabilities exist in both worlds, they just have different consequences.
3. Technology; modern vs reliable
To an OT professional, reliability is key which means new technology is adopted once it’s matured and debugged. While this practice drives stability it also means equipment is older. Skill sets also vary given system gaps and may be a generation apart. To further widen the gap, OT professionals generally have engineering backgrounds and similarities in how they problem solve. An IT professional’s education is not rooted in an engineering perspective.
4. Reference Points
Another important difference between the groups is the difference in reference points. Although IT and OT people are both “T” people, their technology training and experience leads them in different directions. As suggested, IT people are cybersecurity savvy and know about the technology and products that keep networks protected. While OT people can code and deploy a PLC, a valuable skill that’s fairly foreign to IT people.
With their differing backgrounds, even the “same” language can have a completely different meaning. Once, I was talking with a mixed IT/OT group about “SIP.” It soon became apparent from the dialog that we weren’t all talking about the same thing. One group was referring to CIP as in “Common Industrial Protocol” and the other SIP as in “Session Initiation Protocol.” Miscommunications like this could lead to major problems—like if someone was told verbally to ensure that a new device is compatible with “SIP.”
5. Downtime and Risk
This difference in priorities shows itself in many ways. For IT, the go-to fix is to reboot, resulting in a period of unavailability that is deadly for production. Performing software upgrades and patches are routine and pose a low risk. In OT, patches and upgrades mean taking something offline, and so are reserved to be completed during a scheduled downtime. IT also loves to scan the network, a proactive measure meant to ensure that there are no viruses or threats on the network. This scan does not affect PCs and printers, but delicate PLCs on the plant floor can crash from being pinged—another example of how availability must overshadow other concerns on the plant floor.