Once upon a time there was an industry that built equipment and systems for permanence. Very few people were “in” this industry and even fewer really understood and spoke their language. Industrial Control System’s central components, the management platform and end points were designed to last 10, 20, 30 years or more. They were engineered to operate in all types of weather climates from Alaska to Arizona and still operate within manufacturer specifications. They were programmed to withstand various ‘pilot errors’ with numerous safety and self-checking capabilities. ICS’s were the original ‘plug and play’ systems that just worked throughout every Town, City, State and Province throughout North America. And with the exceptions of Mother Nature and internal sabotage they operate without ceasing 24 hours a day, 7 days a week 52 weeks a year, in fact, they work every year until a component needs to be repaired or replaced. In earnest, this industry begun in the late 1940’s and early 1950’s and continues to live, grow and thrive to this day.
About 20 years later the modern Internet was born and about 20 years after that, it became commercialized with a broad portfolio of products and services using inter-connected technologies. Its main purpose was to connect, inter-operate and simplify tasks for end users of data. It evolved from a small US government experiment, to limited use within certain industries, to widespread adoption across almost every industry and company size (from small businesses to multinational corporations), to everyday consumers like you and I. This technology has been in hyper growth mode for over two decades and still shows no sign of abating.
These two technologies, Industrial Control Systems (typically referred to as OT – Operational Technology) and Internet Technology (part of IT – Information Technology) respectively, started on a collision course over 10 years ago and have been met with widely varying degrees of acceptance, adoption and integration, along with apathy, passivity and procrastination.
While the Internet Technology does not make the ‘job’ of the OT equipment more efficient or effective, it does make the operations (read costs) of the OT more efficient and effective. OT systems require manpower to operate 24/7 and manpower is expensive over the long haul. At the same time, OT systems would be of great value and positively impact the bottom line if the owners and landlords of this OT equipment found a way to:
(1) know when a component is failing and have a spare part ready to replace before the failure;
(2) respond to and correct some system errors remotely in seconds rather than send somebody out to repair, which could take hours or days; and
(3) get real-time comprehensive health reports of the overall system(s) – something that was nearly impossible to do via a human being.
The equipment in the OT industry was designed and built by very few companies, each with their own end-to-end solution, to be:
(1) self contained and not connected;
(2) run 24/7/365 and be completely autonomous; and
(3) run on its proprietary protocols everywhere inside the system, which was its de facto security.
IT, on the other hand, was designed by many different companies to be used on many connected (hardware) devices and on many different inter-operable types of (software) devices and systems.
So begins this Oil and Water relationship that would have never happened unless there was substantial money to be made and/or saved.
The good news about IT having visibility across an OT platform is that it is desirable and beneficial to the owners and landlords because of the reach, visibility and shorter response time it brings. Within IT, the good news is that you can reach nearly anybody, anyplace and anytime. The bad news is that other people (around the world) can reach you anytime and anyplace, including unauthorized personnel and outsiders.
So what happens when you combine a hyper-extensible network with a system that was never designed to be reachable from the outside? What happens when you integrate a technology built on interoperability with a technology that was designed and built to operate in a self-contained environment? What happens when you combine inter-operable protocols with proprietary protocols?
Usually, you get varying degrees of discord from the owners and landlords of the technology around interoperability, usability, visibility, contamination resiliency and, of course, security, just to name a few.
What is often missed is that both camps have two very different ‘sine qua nons’ that are sacrosanct in their respective industry. OT is resiliency and Availability, whereas IT is protection, confidentiality and integrity. While three of them make up the bedrock of cyber security protection (Confidentiality – Integrity – Availability, or C.I.A.), they have very different ways to validate the efficacy of their controls.
Since the ‘application’ is providing electricity, water, gas, etc. to customers/ suppliers, OT’s availability would be the combined priority of these two camps. To achieve this, the following questions must be addressed:
• How do you maintain resiliency after inserting Internet Technology in an ICS environment?
• How do you maintain up-time after you add new protocols, equipment and technologies to the self contained, proprietary and isolated ICS network?
• How do you ensure that the new technology does not negatively impact the legacy technology which serves to deliver resources and services to its customer base?
A path forward would be for the stakeholders to view this inevitable symbiosis as a ‘both-and’ and not an ‘either-or’, to create a security program to enforce C.I.A. for all technologies under their roof that is demonstrably effective, verifiable and all-inclusive.
If you are adding internet technology to a legacy ICS system, then it needs to focus on the monitoring and reporting function and not necessarily the management and control function*. Internet Technology should support the Industrial Control Systems, not the other way around.
There needs to be a business reason, a definition of success by the Business/P&L Owners, that speaks to the role of the technology to be used. The business owners need to define the end goal before any technology is added or synthesized into an existing network. The presence (or absence) of this will always determine the efficacy of the solution that is finally implemented.
Too often, the Internet Technology overshadows the function of the Industrial Control Systems. Conflict begins so early in the game because the protection is prioritized ahead of that which needs to be protected.
Keep in mind, even doing this the right way is no easy task. Synthesizing the permanent with the disposable is a project that cannot be taken lightly by Management or the IT Staff. Bringing together two very different technologies that were born, raised and developed in two totally different eras is a task that must be planned first with the customer data taken as sacrosanct, and everything else lines up to support or protect it.
We’ve come a long way since the time when the merging of these two technologies was first discussed in earnest. We’ve come from the time when the Industrial Control System Vendors would ignore any attempt to adopt Internet Technology, to now being an inextricable part of their inventory of products & services. From the time Internet Technology Vendors would avoid Industrial Control System customers with protection requirements, to now them having built equipment, (bridge) protocols and management interfaces to these legacy equipments. From the time customers would not allow the their own company’s Internet Technology team to speak with the Industrial Control System team, to now some doing short and mid-range strategic planning together.
While progress has been made, we still have a long way to go. Industrial Control Systems Security remains a critical issue.
The most efficient and effective way to protect this equipment is for the business owners to
1) define and enforce the priority as the data (e.g. the products being extracted, bought, sold, transported) and then
2) have technology demonstrably support and protect this data with verifiable management and controls implemented across the legacy network.
* Note: You can have both, but it will be a much more involved process.