IT & OT Relationship Management
In many organizations the relationship between IT/enterprise security and OT/engineering teams is dysfunctional. Much has been written about the problem. Most of that writing misses the point. In most cases, the relationship problem can be resolved with a little clarity, a bit more good will, and a modicum of mutual education.
The root cause of most IT/OT disputes is consequence – IT and OT networks in most organizations have dramatically different worst-case consequences of compromise. These sharply different consequences demand very different management disciplines for OT vs. IT assets and networks. Compounding the problem is each side’s limited understanding of the other’s threats, risks and constraints.
While there is no “magic bullet”, effective cooperation to define and develop a workable OT proceeds much more smoothly with mutual understanding. Providing the foundation of that understanding is the goal of this guide.
Request the guide to explore:
Addressing espionage vs. sabotage – different risk management goals
Common misunderstandings – criticality, credibility, and cost-cutting
Prioritizing prevention – why segmentation and dependency analysis is so important in OT
About the author
Andrew Ginter
FAQs About IT & OT Relationship Management
Why is it so hard for IT and OT teams to cooperate on cybersecurity?
In many organizations the relationship between IT/enterprise security and OT/engineering teams is dysfunctional. These teams work in the same organization, support the same mission, and even address many of the same threats, but when they sit down together it sounds like they need relationship counselling.
Much has been written about the problem. Most of that writing misses the point, focusing on symptoms of the disagreement rather than the root cause. The root cause is consequence – IT and OT networks in many organizations have dramatically different worst-case consequences of compromise. These sharply different consequences demand different management disciplines for OT vs. IT assets and networks. Compounding the problem is each side’s poor understanding of the other’s threats, risks and constraints.
What is the best way to encourage IT & OT teams to cooperate?
Mutual education is a key starting point. The goal of IT security teams is most often to manage business risk by protecting information – information is the asset. The security goal for most OT / engineering teams is to protect safe, reliable and efficient operations of the physical asset – information is the threat. The only way a control system can change from a normal state to a compromised state is if attack information somehow enters the control system. The focus for engineering teams must be to control the flow of potential attack information, not to protect that information.
Should IT or OT teams manage OT security?
The right question is not “Who should manage each asset?” but “How should each asset be managed? While teams may argue over who should maintain which assets, the real question is “What are the consequences for the business if the assets are mis-managed?” Horror stories abound: an IT intern schedules a complete backup of the power plant control system at 2:00 AM and takes the entire plant down for the duration of the backup. A new Active Directory policy universally schedules a complete virus scan on every computer in the company at 3:00 AM and takes down every factory in the company.
In a real sense who does the job does not matter, so long as they have the skills, knowledge, credentials and certifications to manage each asset correctly. The engineers who manage OT-critical Windows systems – does it make sense to make these people into the part of the IT team that manages Windows servers? There may be benefits – efficiencies, cross-training opportunities, or better expert retention rates because bigger groups lead to greater opportunities for advancement. There may also be risks, if OT people are promoted into upper management roles and we no longer have enough people at lower levels trained and certified on how OT equipment must be managed. These are all organizational questions that can and should be answered independently, once we have agreed on how machines in OT must be managed differently from what appear to be similar machines in IT networks.
