Incident Response in IT and OT Are Two Very Different Things

Think about it – your OT environment has already been breached. But what does that really mean?

Today, you can’t read a news story or blog without learning about yet another breach of some sort. But are they all really breaches? The problem is the definition of “breach.” Just like “vulnerability,” the term is tossed around without context and means different things to different people.

The Cambridge Dictionary defines a breach as “an act of breaking a law, promise, agreement or relationship.” But we typically associate a breach with IT cybersecurity: data breaches, network breaches, and so on.

When a breach does occur, your responsibility is to initiate an Incident Response process. This of course is well defined and documented in the IT world. But how does it work in the OT world? Let’s start by establishing definitions for what is a breach and what is an incident as it relates to your OT environment.

The Language of OT

In the OT world, we must take a completely different approach. A vulnerability in the world of Industrial Control Systems (ICS) cannot – and does not – have the same meaning and connotation as it does in IT.

OT people speak a different dialect than IT people. In ICS, we talk about “operational anomalies” that open an “aperture.” And that could lead to a “vulnerability” which may lead to an “incident” which may or may not be cyber-related. That’s nothing like how it works in IT.

Let’s look at an example:

Say there is an issue at a local facility where a chiller is experiencing spikes in electrical output, causing the chiller compressor to trip a breaker. This chiller has the capability to be “connected” (i.e. it has an Ethernet port). So, the local plant operator, working closely with the chiller vendor, plugs an Ethernet cable into the chiller. This enables the vendor to access the PLC. The issue is corrected by the vendor.

However, the Ethernet cable is left in place – exposing the chiller’s PLC to the hazards of the Internet. This is a very real-world example of an operations anomaly which opens an aperture that exposes a vulnerability. Of course, you already know what the potential outcome can be.

The OT-IP-IT Boundary

Situations like this can and will occur. Let’s face reality here: Regardless of whether we’re talking about IT or OT, an incident will occur. The question is, how well are you prepared to respond?

Most organizations have a clearly defined IT Incident Response plan in place. If your company is more mature in its governance program, the Incident Response plan and Business Continuity plan are aligned. But OT people don’t always have their cyber ducks in a row like the IT people. OT systems that have IP/IT connectivity are likely not even incorporated into the Incident Response process.

At Insight Cyber, we refer to this as the OT-IP-IT boundary. Let’s take an inside look at some of the pain points we have found during our OT risk assessments.

Lack of Oversight and Awareness in OT

IT operations teams frequently tell us they have no oversight or responsibility over OT systems that have IP/IT connectivity. At the same time, on the OT operations side, there are no clearly defined areas of responsibility when it comes to cyber-related activities in the OT world.

Fortunately, these discussions are starting to happen as the IT and OT worlds converge. It’s important to understand the areas of convergence and to incorporate Incident Response processes into both the OT and IT sides. The responsibility for Incident Response in the OT world will fall primarily on those who implement ICS, which is the local facility personnel. It’s not the IT cybersecurity team.

Depending on the maturity of the organization, OT operations personnel either have a slight understanding of cybersecurity awareness as it relates to OT or no clue at all. We see both scenarios all the time. Either way, an OT cyber security awareness process should be put in place. Particularly where OT operations are localized and IT personnel are not present or have no operational oversight.

In our next blog, we’ll take an inside look at the 5 key elements of an ICS cybersecurity plan.

16 views0 comments
  • Twitter
  • Linkedin

Copyright © 2018-2020, Insight Cyber Group, Inc. All rights reserved.

The following are trademarks of Insight Cyber Group:
The Insight logo, the Insight logo jewel mark, NetRadar™, NetRadar Express™, Managed IoT Security™,
Better Analytics. Better Insight™, Monitoring and Incident Response for the IoT™, Spherical Awareness™,
Decision Supremacy™, InsightCyber CISO-as-a-Service™, InsightCyber OT SOC™, InsightCyber Rapid Assess™,
InsightCyber Security & Risk Assess™, InsightCyber IoT Monitor™, InsightCyber OT SOC™, and InsightCyber  Lifecycle™.

Privacy Policy | Contact | About