IT and OT need a shared language of IIoT

IT and OT need a shared language of IIoT
(Image credit: Pixabay)

Internet security is a key concern of business, and this goes beyond malware and antivirus software protection. IT and production Operational Technology (OT) teams are aware of the cybersecurity obstacles to overcome in order to achieve successful Industrial Internet of Things (IIoT) implementations. Yet, each department addresses those threats with different priorities and requirements. 

For IT teams, endpoint security software management demands consistent attention to detail as teams work towards ensuring safe and secure data access for authorised network users. Obversely, constrained by the need to maintain a steady production line, OT teams are wedded to a mentality that dictates ‘if it isn’t broken, don’t fix it’. One example of this dichotomy is seen in the coal industry where ‘quick fixes’ to sensors, machinery and control systems just do not exist and can grind the whole system to a halt, hampering vital production.  

In a recent report by consulting group McKinsey & Co., differences in the IT/OT "last mile" have been shown to act as a barrier for companies trying to convert IIoT pilot programs into enterprise-wide deployments, especially when it comes to maintenance management software. Here, the challenge comes in helping the two teams to understand each other’s operational language while using procedure-driven vulnerability management practices adapted to their environments.

About the author

Peter Meivers is Senior Product Manager at baramundi Software AG.

Patching over problems 

Within patch management, there exists the most obvious differences in the language of IIoT for IT and OT professionals. The purpose of a patch is to close security gaps, correct errors, and extend features as well as functionality of systems. Overall, this ensures security within a network. This is a great starting point to bridge the gap in IT and OT procedures. 

For IT professionals, patch management is pursued with vigour. Most notably, this is seen on ‘Patch Tuesday’ when weekly improvements are made to a system’s functionality and security. With an automated software such as a unified endpoint management (UEM) system, patches can be pre-configured and tested, then deployed overnight with systems automatically powered up, rebooted and shut down before users arrive the next morning. 

In turn, endpoint users are faced with little to no disruption whilst their regular and new updates avert illegal attempts to access an individual’s device. This is an extremely effective process to guard against persistent cybersecurity threats. 

The challenge for OT

In comparison, OT professionals face an uphill battle with patch management. Attacks on industrial control systems rise year on year, usually targeted at disrupting production or for industrial espionage. Whilst the threat is clear and OT staff recognise the need for regular patching, their ability to respond is constrained by complex multi-vendor environments in continuous operation. 

Indeed, the average medium-sized industrial plant may have more than 200 pieces of equipment from suppliers using various configurations and protocols. Consequently, OT staff cannot routinely take control systems offline for patching and rebooting when it would disproportionately hamper production. 

The output of constrictions on OT staff patching has resulted in a recent SANS study noting that 56 percent of respondents see patching difficulties as one of their biggest security challenges. Likewise, only a mere 40 percent of respondents said they applied patches, dangerously preferring to wait for more complete software updates to justify service interruptions. This results in ‘Patch Tuesday’ being more like ‘Patch Q3’ or ‘Patch November’ for OT staff as deployments need to be planned, tested and deployed way in advance.

Bridging the OT/IT vulnerability management divide 

As many analysts have suggested, including IDC and Gartner, IT and OT companies within IIoT must build more cohesive policy-based procedures to mount a viable defence against challenges by providing adequate cybersecurity training and supervision. One way of achieving this is through bridging the language divide. Just take devices in industrial production, these must be recognised as endpoints in a similar vein to PCs and smartphones. 

Indeed, many OT devices are already PC-based, giving companies a great opportunity to design uniform safety procedures to identify vulnerabilities at the earliest possible stage.

Here, patch management becomes part of a wider war on system vulnerabilities. For example, by using a UEM system, OT and IT professionals within IIoT can find potential vulnerabilities quickly through being able to discover, map and inventory all network enabled endpoints. 

In turn, appropriate patches can be developed for deployment based on network requirements and the severity of the risk, minimising disruption to production. Here, UEM enables improved security measures for a firm working in IIoT. 

Now is the time for IT and OT staff to embrace a shared language through shared procedures and policies on IIoT vulnerability management in order to ensure security and enable vital updates across their systems.


Peter Meivers is Senior Product Manager at baramundi Software AG.

Richard Bejtlich

Richard Bejtlich is principal security strategist at Corelight.

He was previously Chief Security Strategist at FireEye, and Mandiant's Chief Security Officer when FireEye acquired Mandiant in 2013. At General Electric, as Director of Incident Response, he built and led the 40-member GE Computer Incident Response Team (GE-CIRT). Richard began his digital security career as a military intelligence officer in 1997 at the Air Force Computer Emergency Response Team (AFCERT), Air Force Information Warfare Center (AFIWC), and Air Intelligence Agency (AIA). Richard is a graduate of Harvard University and the United States Air Force Academy. His sixth book is "The Best of TaoSecurity Blog, Volume 1"