I was intrigued to learn that certain coyotes and badgers team up while hunting. If the prey runs fast, the coyote takes the lead. If the prey dives underground, it’s the badger’s department.
IT and OT can take note. They share a common enemy: cyberattacks targeting the industrial networks that connect Internet of Things (IoT) sensors and industrial control systems (ICS) that control valves, boilers, breakers, motors, robots and everything else that makes industrial operations safe and efficient.
But where the coyote-badger partnership is helpful but not necessary, I’ll argue that the IT-OT collaboration is mandatory for securing industrial networks. Without a partnership with OT, IT will fail.
Why IT can’t do it alone
I’ll explain with an example. Say the network carries a message modifying a controller configuration. The message could be legitimate. Then again, it could be an attack designed to raise boiler temperature to dangerous levels, make a robot go berserk, or open a valve to release toxic chemicals into the environment. To respond appropriately, IT needs input from OT. What signs indicate a modified configuration is malicious? If the message snuck through defenses, should the assets be quarantined? Is there a better way to contain the attack without putting the rest of the process at risk?
Making the case to OT
Many OT teams hang a “keep out” sign on their network, so be prepared to make a case for collaboration. Fortunately, you can offer a powerful incentive. That is, the information that IT needs will also help OT maximize uptime, production output, and safety.
The collaborative process can be summarized as “identify to protect, then detect.” This approach is generally agreeable to both IT and OT. It’s what NIST describes in Framework for Improving Critical Infrastructure Cybersecurity, and what the International Society of Automation (ISA) recommends in ISA99/IEC62443.
A framework for collaboration
The first step is “identify to protect.” If you don’t know what’s connected to the network, you’ll operate in the dark. Start by building a complete inventory of everything connected to the industrial network, noting how critical each asset is to the business.
Next, IT and OT work together to group assets into zones and conduits that contain attacks. Industrial firewalls like the Cisco ISA 3000 industrial security appliance comply with OT requirements and don’t require IT to learn a new interface. IT manages the ISA 3000 using the same software they already use for other Cisco Firepower firewalls.
When assets are grouped, IT can start building the appropriate security policies. The pre-work helps to focus threat detection on what really matters.
Cisco Cyber Vision simplifies the collaborative workflow I just described. For OT teams, Cyber Vision is an easy way to group assets into zones and to define the normal state for various parts of the network. This gives IT the context to build security policies, identify anomalous behaviors, and respond to threats in a way that doesn’t disrupt critical processes.
When anomalies are detected, Cyber Vision alerts both teams. IT responds by investigating and mitigating the attack, and OT responds by making adjustments to keep production going. As a side benefit, Cyber Vision gives OT the operational insights to improve production efficiency.
Cyber Vision shares all OT asset information and events with existing IT security platforms. Using products like Cisco SecureX, IT can investigate and remediate threats across both the IT and OT domains and build a truly converged IT/OT security strategy.
Where partnership is optional for the coyote and badger, it’s a must-have for IT and OT teams working to secure industrial networks. OT shares its knowledge of connected devices and industrial processes, and IT applies its cybersecurity expertise to detect and mitigate threats. Neither team can succeed without the other.
To learn more about how this collaborative workflow will enable you to build a converged IT/OT security strategy, I invite you to check out our new white paper by clicking here.
Want to get the latest news on IoT security? Subscribe to the Cisco IoT Security Newsletter.
What are your hopes and concerns for converged IT/OT cybersecurity? Please share in the comments below.