Ron Brash, Director of Cyber Security, Verve Industrial Protection

Organizations and technology share a commonality – evolution, but as with all progress, both positive or negative, risk, ownership, and relationships always follow suit.  As part of that movement, executives are beginning to find that they may be responsible for Operational Technology (OT) within their organization, and cybersecurity which was traditionally an Informational Technology (IT) or enterprise domain, is also falling under one roof.  After all, centralization of risk, and vulnerability management makes sense from holistic and high-level effectiveness perspectives, but will it be easy? No, but the purpose of this article is to lend a critical piece of advice on how to avoid political debacles, stone-walling, and assist executives (CIOs, CISOs, and managing directors) find success in driving a security program encompassing enterprise/IT, and most (if not all) elements in OT.

Great, you are onboard, and you know that an organization requires People, Process, Technology and Governance/Compliance, but what if I told you:

“as an executive: your greatest asset is your ability to relate to individuals and build success.”

Traditionally, IT/data/information executive roles have been driven by concepts such as the Confidentiality, Integrity, and Availability (CIA) principles, NIST CSF, compliance, and fear of data breaches, but in OT – a different mindset exists.  It is one of Safety, Reliability, and Productivity (SRP), and is a culture of engineering, and where a functional process exists – lives, safety, and economics are potentially at risk. Therefore, it is a difference in priorities, and what may be important in IT, is not important in OT.

For example, imagine an organization that generates and distributes electricity (the same could also be said for oil & gas too).  Enterprise manages many functions such as payroll, client billing, contracts, financials, human resources. Consequently, data privacy, confidentiality, and integrity of the data is of key importance.

In OT though, teams of operators ensure that electricity continues to be generated, and distributed to the grid’s consumers (whether that’s homes, infrastructure, hospitals, airports and so on), and this is their entire job – keeping it operating as expected, safe, and with minimal disruption.

So what is the difference?  IT is largely concerned about data and it’s availability to the business or clients, but in OT, operators care not about the privacy or confidentiality of data (usually), but in the fact that the lights stay on and they have to have complete trust in the processes used to generate & distribute electricity (with respect to lives and safety).  Surely, the OT teams want their personal information to stay safe within the organization, but it has little effect on their day-to-day jobs when compared to the bigger picture, and their continued employment.

This generalized example highlights the fact that there are two (2) camps with overlapping responsibilities, technology, processes, etc…  It is this divide, even with the overlap, that needs to be conquered in order to create a successful cybersecurity program with support across the organization.  After all, people are people, and needs are different everywhere inside of your organization; so, where do you begin?  Here are six (6) ideas:

  1. Find common ground. People want their concerns to be heard and acknowledged. In OT, this is of a greater concern – many site owners merely want the process to continue being operated safely, reliably and without risk of disruption
  2. Deliver a genuine position and attitude that assists both sides perform their jobs more effectively, and without fear of a layoff or firing; remember – “I’m not here to take your jobs, I’m here to help you to continue working, and to not add more work long-term”
  3. Build trust by starting small and continued championing of everyone’s needs. If your initiative does not have full support from executives, or the budget, do not over-promise. This will inhibit future initiatives
  4. Build rapport based on past experiences, and if experience is short, demonstrate a keen and honest desire to learn. Whether IT, or OT, humans enjoy sharing and teaching, especially, when it is a safe environment
  5. Align to a framework. Common vocabularies and frameworks have tremendous value if they map to both sides. NIST CSF with respect to other OT standards indeed can work & exceptions managed appropriately
  6. Enterprise projects often have budgets that outweigh those in OT. Try shadow budgets and following the trail of money (or rather where it is generated) for the business, and ensure appropriate expenditure ensuring continued revenue generation
  7. OT teams are often rigorous, and process driven. Use this to your advantage if it aligns to SRP.

After all, the key concept to remember is people are people, and they have needs.  And because the root word of cybersecurity is security, security to the business means remaining financially viable – and long as it is viable, there is a place for everyone to contribute to on cybersecurity.