AWS for Industries

Cybersecurity Awareness Month: Ep. 1: Differences between IT and OT security

It’s National Cybersecurity Awareness Month! 

In 2003, the National Cybersecurity Alliance and the U.S. Department of Homeland Security designated October as Cybersecurity Awareness Month. To recognize this annual tradition, join AWS for a 4-part mini-series highlighting the different ways cybersecurity impacts your industrial landscape, especially since, as Caroline points out, “Over the pandemic, cyber events have really shed light on the need for comprehensive security along the entire supply chain.”

Cybersecurity Awareness Month Theme

According to the cisa.gov website: “This year’s campaign theme — “See Yourself in Cyber” — demonstrates that while cybersecurity may seem like a complex subject, ultimately, it’s really all about people . This October will focus on the “people” part of cybersecurity, providing information and resources to help educate CISA partners and the public, and ensure all individuals and organizations make smart decisions whether on the job, at home or at school – now and in the future. We encourage each of you to engage in this year’s efforts by creating your own cyber awareness campaigns and sharing this messaging with your peers.”

This week our hosts sit down with Robert Albach, a leader in product management for secure firewall / industrial security at Cisco Systems, to discuss the differences between IT and OT in how they respond to security incidents, as well as how they value security within the organization. Hear the varied perspectives and mindsets at play, how technological updates can create risk in OT workflows, and how IT can keep OT secure while also keeping them physically safe, as “Safety is the number one concern in the OT departments vs uptime.”

Listen now to Part 1: Differences between IT and OT security (featuring Cisco) on Apple Podcasts, Spotify, Stitcher, TuneIn

Duration :00:17:07

“The IT world is used to a much faster obsolescence/update rate for technologies, whereas on the OT side it’s ‘Oh yeah it works, it’s fine, it’s simple – leave it alone.’ I think these [mentalities] frankly drive the deltas [between departments] with regards to adoption rates and in turn, has some impacts with regard to security.” – Robert

“That’s what makes this problem so hard … OT is incentivized to keep everything running, you know, their jobs are dependent on that production & IT on the other hand is prioritized and incentivized to make updates to protect the systems and data, and those incentives can completely contradict each other.” – Caroline

“I think that’s a big, important thing that people need to look at is that risk tolerance level and that the capabilities of when they’re looking at those and trying to assess where should we update, where do we need to make these changes? And it’s just probably not just security, but it’s across the board when they’re making any type of change in that shop floor.” – Doug

“Every change represents a risk to that operational state. So, the less changes I make, the more I reduce my risk. The more I reduce my risk, the more likely that I am to meet my operational metrics, which is how much I’m producing, what’s the quality, what’s the resource consumption rate and so forth.” – Robert

Featured Resources

Preparing & Responding to security incidents
https://thinkwithwp.com/blogs/iot/assessing-ot-and-iiot-cybersecurity-risk/

Ten security golden rules for industrial solutions

https://thinkwithwp.com/blogs/iot/ten-security-golden-rules-for-industrial-iot-solutions/

Assessing OT and IIoT cybersecurity risk

https://docs.thinkwithwp.com/whitepapers/latest/aws-security-incident-response-guide/welcome.html

Ask A Question

Send us your questions at industrialpodcast@amazon.com. You can also post your question below in the comment section. We will reply to all questions within 1 business day.

Episode Transcript:

Transcript
Caroline
Growing skills gap, increasing cyber threats, supply chain disruption. Does this sound familiar?

Doug
It’s a tough industry to be in and we’re here to help.

Caroline
I’m your host, Caroline.

Doug
And I’m your host, Doug.

Caroline
And you’re listening to AWS Industrial Insights, the podcast for manufacturing and industrial business leaders who aren’t afraid to think big.

Doug
We interview executives from well-known companies to share the disruptive ideas and topics like leadership, technology, and innovation.

Caroline
So, let’s get started.

Caroline
Welcome, everybody, and thank you for joining us today on AWS Industrial Insights. Now this is the month of October, so we have like a really, really special four-episode plan for you. And it’s all around the Cybersecurity Awareness Month, which is October. So brief little history on this. You know, every year since 2003, October has been recognized as Cybersecurity Awareness Month.

Caroline
This was an effort brought to life through a collaboration between the U.S. Department of Homeland Security and the National Cybersecurity Alliance. So, the CSAM was actually created to ensure that every individual stays safe and secure online. So, AWS is going to participate in this campaign kind of in our own way with this podcast and provide some educational content around, you know, your biggest questions around industrial security.

Caroline
So, with that being said, I’m super excited to have Robert on the show with us. Robert and I actually used to work together at Cisco, and we did events all the time. So, Robert it is such a pleasure to have you on and can you introduce yourself?

Robert
Great to see you again, Caroline. Hi, folks. It’s Robert Albach with Cisco. I’m responsible for all things threat for the firewall and coordinating industrial security responses for Cisco.

Caroline
Awesome. And if you’ve never met Robert or you’ve never read any of his blogs or anything, he knows everything about security, so he can pretty much answer any question. And he is the perfect person to be on the podcast with us. And we also have Doug who’s no longer in a loud, noisy hall, right Doug?

Robert
All right. Yep. Got the joy of being out of Chicago. Great show, but it’s always good to be out of there at times as well.

Caroline
I get so exhausted after the events too. Okay, cool. So, let’s just jump right in. Episode one we’re going to be talking about, you know, the differences between OT and IT and how they respond to security incidents and also, you know, how they value security within the organization. So, before we even dive into that, I want to bring up some research I found in the global state of industrial cybersecurity from Applied Risk.

Caroline
You know, they did a study, this was independent. It was a global survey of 1,100 IT and OT security professionals who work full time for enterprises, specifically working on critical infrastructure. And the survey was geared around, you know, like understanding how they dealt with security challenges, specifically around resiliency and priorities moving forward. So, one stat I read in this, like, I just couldn’t even believe it.

Caroline
So, between 2020 and 2021, 80% of the respondents in the survey said that they experienced an attack, with 47% reporting an impact to their OT or industrial control system ICS environment. Robert, would you say that sounds accurate?

Robert
It’s a little surprising if someone were to tell me that, say, 47% of manufacturers had been attacked, that would not surprise me. The fact that 47% had said that it had impacted their OT environment specifically, that strikes me as a little bit high, but I find that interesting.

Caroline
Definitely. And, you know, over the pandemic, these cyber events have really shed light on the need for comprehensive security along the entire supply chain. Yet, you know, one thing I found in this report that just really surprised me is that, you know, when asked whether they conduct regular audits of their organizations, main suppliers, specifically for the supply chain, the majority of the people who responded of OT and IT practitioners said that they don’t.

Caroline
Can you talk a little bit about that, Robert? Like any ideas why it would be that way?

Robert
Well, I mean, supply chains can be very long. They can be fairly complicated. And to start with, all the different suppliers upon suppliers that you have out there, you may not have visibility into who all is participating. It’s not at all uncommon that you purchase some set of equipment from vendor A and they in turn outsource the maintenance of it to some other entity.

Robert
Not at all unusual. So, it doesn’t surprise me that that is the case. I will note that the United States government, starting really with the Department of Defense, focusing on the defense industrial base, is trying to get their arms around this particular issue with the CMMC, where they’re going to require anyone supplying goods to the defense industry to be able to protect confidential information related to those particular orders.

Robert
And it’s supposed to flow down to the sub suppliers and so forth. But to be honest, it’s been very difficult to get the thing fully launched. So that would really kind of point to, well, if the federal government and Department of Defense can’t get their industrial defense base lined up and ready, then it doesn’t surprise me that just standard manufacturers everywhere can’t either.

Caroline
Yeah, exactly. And, you know, one thing I think of, too, is that a lot of times like these, OT and IT practitioners tend to focus primarily on existing technologies that they have, like remote access management and asset management systems or industrial firewalls. But do you think that that limits them from adopting some of the newer future technologies? Do you think that that like holds them back?

Caroline
I just wonder if it’s, you know, like a fear of moving forward.

Robert
There’s a lot of inertia, but different rates of inertia. So, in the IT world, we’re used to swapping out our primary workstation or laptop. You and Doug are all on laptops at some form or another, every three years, more or less. Yet the equipment which is, you know, physically encased, potentially in concrete or whatever the case might be within an industrial environment, has a longevity which is multiples longer.

Robert
There are economic/accounting reasons as to why you don’t necessarily know it’s paid for. It’s pure profit, whatever the case might be. But I think some of these scenarios or such is part of one of the impedances I think we have between an IT world, which is used to a much faster obsolescence/update rate for technologies, whereas in the OT side it’s oh, it works, it’s fine, it’s simple.

Robert
Leave it alone. I think these frankly drive some of the deltas with regards to adoption rates and in turn has some impacts with regards to security.

Doug
Robert, I think that brings up a good point around the differences between IT and OT in what you’re seeing from a security difference. You mentioned right there obsolescence and how those different spans of time or not having to update with the latest feature packs and everything when you’re in the OT department.

Doug
What are a few other ones that you see as well?

Robert
So, there’s also a technology stack that is dependent to drive the factory itself. There’s technology stacks in which the equipment which performs the kinetic tasks necessary to create goods. Those can be on say different lifecycles. The top of the factory is largely driven by a Microsoft technology stack. Our good friends at Rockwell have factory talk. It’s all Microsoft, Siemens with Windows CE.

Robert
It’s overwhelmingly Microsoft and such. And so, in those cases, they are at a slightly faster pace than, you know, Mary’s Metal Mangler, which is on the factory floor. And Mary is not necessarily incented to constantly keep pace and update the equipment because frankly, Mary’s Metal Mangler’s is working just great. And so, you’ll get a lot of the, “if it’s not broke, don’t fix it.”

Robert
And the other element of that is we need metals. Mary’s Metal Mangler working 24/7 is a critical part of our process. We are not going to meet our production rate goals if we’re taking Mary’s machine offline, whereas that machine could probably work pretty well on its own. Whereas all of the connectivity that we have with this Microsoft technology stack up there, we’re used to making changes much more rapidly.

Robert
So this is just one of those, again, impedance mismatches between the rate of changes in technology at one level in the factory itself versus another level down below. And every change represents a risk to that operational state. So, the less changes I make, the more I reduce my risk. The more I reduce my risk, the more likely that I am to meet my operational metrics, which is how much I’m producing, what’s the quality, what’s the resource consumption rate and so forth.

Caroline
And I think that’s what makes this problem so hard. You know, like you brought up a really good point. And what I’m hearing is that OT is incentivized to keep everything running. You know, their jobs are dependent on that production. IT on the other hand is, you know, prioritized and incentivized to make updates to protect the systems in the data.

Caroline
And it’s like those incentives completely contradict each other. So, can you shed some light on this a little bit? Like, is there light at the end of the tunnel? You know, how in the world are you supposed to balance these differences and kind of put everybody on the same team?

Robert
Well, I think everybody’s on the same team to a large extent, but the team might not necessarily agree on, you know, what’s the best approach. And for them, I mean, a lot of what our IT departments are doing is that we’re providing services to a whole set of departments within the broader business. I’ve got a sales department, I’ve got accounting, I’ve got finance, I’ve got marketing, I’ve got HR, and I’ve got all sorts of folks who we’ve been trying to get everything connected as much as possible.

Robert
And we want to keep pace with the latest and greatest so that everyone can optimize as much as possible with all these wonderful new technologies in place. Fantastic. That is usually a fairly low risk perspective in terms of doing things where we get down to the factory space again, we’ve got things which are working perfectly fine. I don’t need to necessarily update and rip and replace all that equipment every three years.

Robert
In fact, doing so increases that risk. It increases the probability of us having to interrupt flows and such. And so this is the mindset that’s at play is, you know, I’m operating at a certain level of productivity that is all about tiny little optimizations while we’re thinking in the IT side that we’re going to make significant leaps with this new upgrade to the software package and whatever. It’s the fact that manufacturing group stands out as being the exception, and we have to let the IT folks know is that when we’re there to connect things, we’re going to do it because it’s going to help.

Robert
We’re going to do it a little bit differently. Similarly, from the security perspective. Yep, we’re going to do many of the same kinds of steps, but we’re going to do it a little bit differently. Keeping in mind, probably what I would say is the one significant differentiation, and that’s safety. If I go and make changes and updates to whatever systems the HR department is using or sales accessing Salesforce or something like that, yeah, someone might say, Oh, this is painful because oh gosh, the performance is slow or connectivity is spotty or something like that, but nobody’s getting hurt on the factory floor.

Robert
The potential that change may introduce increasing the risk to the safety of the workers is very real. And if there’s any one thing that really differentiates it is the fact that the kinetic impacts may introduce physical harm to the people whom we have working in that environment.

Doug
And I think that’s a big, important thing that people need to look at is that risk tolerance level and that the capabilities of when they’re looking at those and trying to assess where should we update, where do we need to make these changes? And it’s just probably not just security, but it’s across the board when they’re making any type of change in that shop floor.

Doug
That is a key area. And safety is the number one thing in the OT departments versus uptime and I think I think that’s a big note too for people to take off from this.

Robert
Yeah, my father-in-law ran a refinery, chemical plant, really. And he’d always talk about the pressures that he had to meet certain production goals and such and the problems that might arise if the quality of a certain batch that went to a customer didn’t meet [standards]. And, you know, the problems. He had to fly to Japan and apologize to somebody, you know, personally to say, gee, we’re sorry, we didn’t meet that goal,

Robert
and we didn’t meet the standards that you’re used to. That was one thing. But he also told the story of what happened when somebody died in an industrial accident at his site and the very, very different, you know, look in his face and in his eyes, you know, in talking about these things. So, it’s very real. It’s out there.