A cultural and technological clash between IT and OT is hindering organizations’ efforts to mitigate the risk of serious cyber-physical attacks, according to Trend Micro.
The security giant’s VP of infrastructure strategies, Bill Malik, explained to Infosecurity Europe attendees that the fundamental goal of OT teams is to “ensure everything is safe and reliable.”
When it comes to information security teams, however, it’s all about ensuring data is not “lost, altered or disclosed.”
“These goals are out of mind for people running OT systems, so when you try to converge the two you end up with major conflict,” said Malik.
Where OT teams try to fix an issue as quickly as possible in order to preserve the integrity of the service, IT security teams want to find out what went wrong to prevent it happening again, he added.
“When you have people with expertise in their own domains working together, it results in a kind of ‘ritual combat’,” said Malik. “The biggest challenge is integrating their viewpoints.”
Another example of the disparity between the two ways of approaching cybersecurity is the DevOps concept of “fail fast and fix fast.”
“Let me tell you: 'fail fast' doesn’t work when you’re fixing a connected car, or a robotic surgery,” warned Malik.
The job of security managers is complicated further by the mass of different protocols used in the IoT world to enable communication between devices and controllers.
In healthcare, these challenges are compounded by the fact that medical devices in the US take 2-5 years to get certified, but if the software is upgraded they risk losing that certification. This means out-of-date and insecure platforms like Windows XP are not uncommon, warned Malik.
“Whether we’re talking about a power station, a hospital or your Alexa at home we need to be able to identify all vulnerable devices, ensure they’re properly segmented and know what activity is going on,” concluded Malik.
He added that organizations need to upgrade where possible to ensure devices are as secure as they can be, and to support modern, secure IoT architectures, as well as plan for regulatory mandates.
Europe’s new NIS Directive should go some way to helping improve the resilience of “essential services” providers to cyber-physical attacks, by raising baseline security standards. In the UK it applies to transport, energy, healthcare, water and other CNI sectors.