2020 OT Risk Perspective: IT-OT Athletes Are Rare

Three decades ago, Nike’s iconic “Bo Knows” campaign featured TV commercials of teammates marveling at Bo Jackson’s incredibly rare skill set. He was the first modern professional athlete to play on Major League Baseball and the National Football League teams in the same year. The advertising posts promoted cross-training shoes that Nike designed for athletes who played more than one sport and had little time to switch sneakers.

Today, those cross-trainers would come in handy for third party risk management (TPRM) professionals, information technology (IT) professionals and operational technology (OT) engineers charged with mitigating OT risks during a period of rapid IT-OT convergence. Precious few professionals possess enough OT and IT know-how to singlehandedly ensure that increasingly digital OT environments do not pose IT security risks to their own companies or their client companies. That’s because it generally takes years of training and on-the-job experience to become a seasoned IT or OT expert — and little of that expertise overlaps. While it is imperative for IT, OT and TPRM professionals to collaborate, many of these experts have yet to do so.

That explains why raising awareness of risks related to IT-OT convergence represents a major OT risk management issue in 2020, according to Santa Fe Group Vice President of Research Mike Jordan, who monitors trends in supply chain risk management and comes from a manufacturing industry and cybersecurity background. Jordan identifies several other OT risk management focal points for the coming year, including the following areas:

  • Committing to collaboration: “For OT risk management to work, IT and OT teams have to acknowledge that they need each other,” Jordan notes. “Given how complex each discipline is, it is impossible to teach everyone involved everything about OT, IT cybersecurity and third party risk management. There’s really no point trying to make a cybersecurity person also do an OT person’s job, or vice versa. What you have to do is get them together and make it clear that they all have integral roles in solving problems related to OT risks.”
  • Establishing governance: Executive sponsorship and a governance structure mark two fundamental pillars of an effective OT risk management capability. It needs to be decided and understood, for example, how disagreements are settled. If the implementation of a cybersecurity process would result in a manufacturing system’s down time, who decides whether that implementation should go forward or be altered to eliminate any down time? “You’ve got to work those things out,” Jordan continues, “The same holds for budgeting decisions. Who’s going to pay for additional security in the OT environment and who makes the decision about who pays?” Jordan stresses that a one-size-fits-all approach does not exist for OT risk management governance, given the highly customized nature of most OT environments.
  • Getting out of professional comfort zones: Effectively assessing risks within OT environments does not require a mechanical engineering degree and decades of factory floor experience. However, it does require TPRM professionals and other non-OT assessors to understand what they’re looking for and how to communicate what they find. One of the Shared Assessments Operational Technology Risk Management Working Group’s mandates is to help TPMR practitioners expand their knowledge of OT environments and the risks posed by IT-OT convergence. When it comes to cybersecurity knowledge, a non-IT professional should be able to distinguish between a vulnerability scan report and a penetration test report, Jordan says by way of example. Non-OT professionals assessing OT risks should be familiar with the Purdue Enterprise Reference Architecture (the Purdue Model) for Industrial Control Systems and know what a programmable logic controller (PLC) does.
  • Involving more parties in the risk discussion: Effective third party risk management requires outsourcers and vendors to work together to address problems in a risk-savvy yet cost-effective manner. If a control requested by an outsourcer is not relevant to a given situation, the vendor should explain why that’s the case so the two parties can reach an accommodation. “When it comes to OT, you have to bring in more parties to the discussion,” Jordan points out. This is the case because OT environments tend to be highly customized and maintained by several different groups. Support and maintenance may be handled by an outside company. The same holds true for physical security as well as the hardware and software used in the OT environment. “Those types of third parties are important to interreact with when you’re trying to understand and assess OT risk,” Jordan adds.

That interaction is especially crucial given the lack of IT-OT dual athletes on most companies’ rosters. Addressing that pervasive OT risk management challenge doesn’t require state-of-the-art cross-trainers, but a little cross-training and a lot of collaboration certainly will hope as IT-OT convergence advances in the year ahead.