Skip to main content

Deloitte Cyber leader discusses IT/OT security challenges

It wasn’t too long ago when manufacturers’ information technology (IT) and operational technology (OT) teams and technologies were completely separate. However, in recent years, there has been a convergence of the two, as manufacturing operations became IP-enabled and former standalone industrial control systems (ICS) became connected as part of the Industrial Internet of Things (IIoT). This has led to a new phase of industrial revolution - Industry 4.0 - in which manufacturing systems are interconnected, data-driven and increasingly automated.

Industry 4.0 has also created new cybersecurity challenges for manufacturers, because the IIoT is open to the same threat landscape facing traditional IT. This is both a technical and operational challenge, since IT and OT teams historically had no reason to interact, but today it is a necessity - for example, threat actors can penetrate OT networks as an “on ramp” to IT networks, and vice versa, so it’s imperative that there be a unified security strategy across functions.

Cybercrime Magazine recently addressed this topic in a podcast featuring Ramsey Hajj,

Deloitte Cyber’s Global Industrial IIoT/ICS Leader. Here are some of the key points they discussed:

 

What kind of risks exist in factories?

Ramsey Hajj: All you have to do is look at the news, and you see manufacturers face the same risks as other businesses: nation-state attacks, ransomware attacks, intellectual property theft and so on. When I assess risk for our manufacturing clients, I consider both the financial and operational impacts of these attacks, as well as the life and safety impacts. These OT systems drive revenue for their businesses – the loss of any one of them can be very damaging.

How do you see IT and OT functioning together?

Ramsey Hajj: The divide between operational technology and information technology has existed for a long time. A lot of it is due to the fact that the two groups never needed to interact until recent years. In many cases today, they’re being forced together. So, the challenge for manufacturers is: “How do I make room at the table for everyone?”

And how do you make room at the table for everyone?

Ramsey Hajj: You have to bring them together and correct any misunderstandings one group may have about the other. They need to understand that it’s strategically important for them to work together rather than be adversaries. You can help this process by having the two teams work together in cyber simulations, for example. Manufacturers typically have digital twins of the factory that are used by IT for cybersecurity testing, and by OT for business process testing and refinement. If the two groups work together on this testing, they can begin to understand how their activities may impact the other side – for example, a change in a manufacturing process might open a cyber vulnerability that the IT people need to know about and remediate before the process is implemented.

What else can be done to improve this disconnect between the groups?

Ramsey Hajj: It really becomes a cultural change. It’s not enough to create a governance structure across the enterprise – it’s also a matter of living that structure. And by living it, I mean from the board room to the shop floor. Everyone should understand their role in the organization and how everyone working together produces a desired result. This is how you get people thinking about the entire organization – and that’s how you start on a path to true digital transformation.

With so much focus on digital transformation and work-from-home, do you think organizations understand how important cyber is to their success?

Ramsey Hajj: They’re starting to. Cyber generally falls under the IT function in companies, and this has to change. Cyber needs to be made an integral part of the business – a combination of technology and business operations. There needs to be a risk governance program in place where cyber sits right at the middle – this way it’s embedded in everyone’s work life. Some of this is art, and some of it is science. With digital transformation, the art is healing cultural rifts and making sure that the organization is ready to handle the technology required to support the transformation. Everyone wants to use the latest and greatest technologies, but if you haven’t built the foundation for deploying that technology securely and in a way where it doesn’t create more problems than it solves, you’re going to wind up with a lot of re-work or, worse yet, you’ll have to do a complete restart.

I like how you say cyber is part art – I think many people just think of it as science.

Ramsey Hajj: Yes, sometimes I tell people, “We’re digital marriage counselors.” That’s the art of cyber – getting groups to work together so the business can be more secure, resilient and successful.