A Tale Of Two Giants

The IT/OT convergence that is propelling the Fourth Industrial Revolution has opened up a can of worms in terms of risks to IT enterprises and industrial control systems, and those risks are being mitigated by teams on both the IT and OT side.

Recently, I had meetings with 2 of the world’s largest global energy giants about the cyber-security within their extraction facilities and offshore platforms, which presented me with a dichotomy of sorts that I found to be worth sharing. For confidentiality purposes they shall remain un-named, so I’ll refer to them as Giant of the East and Giant of the West. First and foremost it’s important to understand that they’re identical in nature for all practical purposes. The two giants have the same massive level of brand recognition, operate in the same regions around the globe, serve the same markets, they’re about the same size, and they’re both looking for ways to improve their cyber-security defenses. They were also both interested in using Indegy’s industrial cyber-security product in their environment.

The Giant of the East has the strategic goal to be the safest energy company in the world. Many responsibilities related to introduction of new technologies lie within the OT side of the organization, with operational engineers holding the reigns on projects, safety is always the dominant factor, with the IT folks following their lead.

Not surprisingly, Indegy’s product helps to bridge the divide between IT and OT worlds. Since both giants need a solution to help them detect and mitigate the risks brought on by the convergence of IT and OT, they are both interested in our solution.

IT and OT come from different worlds, speak different languages, have different sets of priorities, and diverse ways of solving problems. Tools that help bridge the two worlds are becoming more and more critical to managing the IT/OT convergence, and particularly in the realm of risk mitigation.

The IT driven Giant of the West manages all of the communications between the OT infrastructure (the offshore rigs, wells, refineries, etc) and the corporate headquarters. A recent spate of cutting-edge efficiency-focused projects has introduced many new risks that were previously non-existent.  For example, known malware such as Mirai that affected millions of IoT devices, or unknown malware threatening the industry, like Pin Pals, has caused the Giant of the West to take a closer look at the new network connections from the OT infrastructure, and the risks they bring to the IT side of the organization.  The Giant of the West is particularly worried about the disparate networks that may traverse hundreds or thousands of miles, with devices spread out geographically in a way that makes them very difficult to secure.  Additionally, they know very little about the engineers coming and going to the rigs and plants, the devices carried by the engineers, or their device security posture.  Their efforts are focused on finding ways to protect the IT infrastructure from the OT world.  They are tasked with mitigating the risks and answering questions like  “How do we prevent someone from hacking into headquarters from the OT environment, the PLCs, and other devices that live on that network”?  In a nutshell, they are concerned with threat-actors will use the PLC or RTUs from the industrial control process to hack into the IT networks.

It was only a couple of days later I found myself in the lair of The Giant of the East, discussing a different set of cyber-security risks that were practically from the opposite perspective. They were mostly concerned with the risks posed to OT from the IT side.  With the steady flow of headlines broadcasting information about data losses and breaches, one after another, and the increase in significance and impact, it was easy to read the level of alarm on their face.  The Giant of The East, in its quest to be the safest energy company in the world, has developed a risk-averse mentality to introducing new technologies to the infrastructure, unless the new tech reduces risk. When combining that attitude with the flow of headlines, it’s easy to see how they would be anxious around the insecurities within the IT world and the impact of connecting OT to such networks. In particular, they were worried about malware infecting a machine on the IT network in headquarters, propagating itself through the network, until it hits the process control infrastructure. One could imagine the huge global impact if terrorists or saboteurs were able to come across the internet and completely take over the energy giant’s production facilities.  To this giant, the threats coming from IT add a new dimension of hazards that oppose their mission statement – to be the world’s safest energy giant.

Each giant straddles the divide left by the convergence of IT and OT, searching for ways to mitigate risks posed by the other side.  Each giant believes the bulk of risks inherent to the IT/OT Convergence are coming from the other side of the divide. And yet, both giants have the same requirements and needs, albeit the Use Cases are different. Essentially, both giants need better visibility and control of  their industrial control systems.  Both giants were invested in the overall risk posture of the organization as a whole.  When addressing disparate use cases and the risks that cross the IT and OT landscape, having both IT and OT as stakeholders is needed to ensure success in both environments. Otherwise, you may find yourself facing a giant problem.