Greg Ness profile picture

Greg Ness

Chief Marketing Officer

Wednesday, June 12, 2019

By their very nature operations technology careers are focused on the management of physical spaces, most of them local. Since the advent of the green building movement smart devices have proliferated from office buildings and homes into hospitals, factories and even aboard cruise ships to save energy, increase worker productivity and develop more valuable, desirable living spaces.

Those localized devices are now being increasingly connected to networks, including the internet, in order to further boost efficiency and productivity. Aided by network connectivity, a single operations manager can monitor many more physical spaces from a distance than was ever possible locally.

Yet that jump from limited local to internet connectivity brings significant cyberattack risks. And the rise of those risks and their criticality is creating a growing gap between traditional OT skills and those needed today.

The signs of the increasing importance of cybersecurity to operations teams are already appearing.

Last month we sponsored a survey of OT pros managing a host of smart building control systems. With the first wave of phone interviews almost complete, LTM Research found about 20% of operations teams already had assumed responsibility for securing smart devices and control systems. Another 27% shared their cybersecurity responsibilities with IT. For 30% of those interviewed, IT was solely responsible for securing their smart building control systems.

An OT professional managing a smart building control system

In almost 50% of those surveyed operations pros played a key role in cybersecurity for physical systems/controls. As more control infrastructures are connected to the IT network those numbers are bound to increase. At this point only about 33% of those surveyed said they’re OT and IT networks were converged, and the sample is based on organizations which have purchased and deployed smart devices.

Given the business case for smart device connectivity one might be tempted to think that the rate of convergence should be much higher. Most participants cited budget (67%) as the biggest barrier to achieving smart building goals, followed by the length of planning and deployment cycle (23%).

There is clearly a good, bad and ugly aspect of OT/IT convergence:

Connecting "things" using traditional networking is not your biggest problem. The challenge is the growing attack surface created by inadequate networking of sensors, unconventional endpoints and outdated operating systems.

>- Tempered Networks CEO Jeff Hussey, In Forbes

A massively expanding attack surface is exposing billions of internet-connected devices to the risk of malicious attack. Two years ago, two of the most destructive attacks in history (WannaCry and NotPetya) spread globally in hours and damaged everything from connected maritime shipping to health care devices, validating a 2016 Cybersecurity Ventures prediction:

In August of 2016, Cybersecurity Ventures predicted that cybercrime will cost the world $6 trillion annually by 2021, up from $3 trillion in 2015. This represents the greatest transfer of economic wealth in history, risks the incentives for innovation and investment, and will be more profitable than the global trade of all major illegal drugs combined.

With OT/IT convergence well underway and growing cyber threats one might be tempted into thinking that IT would simply handle convergence-driven security challenges. Yet that assumption has two critical flaws: 1) traditional IT security solutions weren’t architected for protecting control systems, many of which are running on vulnerable operating systems; and 2) there are already critical shortages of trained IT security pros.

A Gartner survey found that organizations are keen to integrate IoT and IT technologies (such as sensors, data stewardship, security and analytics) into OT systems. However, IoT deployment is still in the early stages, and most organizations don’t yet have the skills, expertise or time to drive the IT/OT alignment requirements.

Between the tools and personnel shortages and the growing attack surface there is plenty of career opportunity for OT pros who understand how to easily protect these exposed systems. The risks can be catastrophic, as stated by network infrastructure expert Gabriel Lowy:

Gaping holes in data quality and integration with IP/TCP (Internet Protocol/Transmission Control Protocol) networks and their fragmented security layers leave both industrial control systems (ICSs) – and the IP data infrastructure they are increasingly interfacing with – vulnerable to debilitating attacks. These attacks can range from disrupting production facilities and supply chains to crippling vital services and safety systems.

The consequences can be severe: financial losses, regulatory fines, reputational damage, loss of control over critical infrastructure and services, and health issues, including environmental harm and loss of lives.
OT pros who get trained in cybersecurity will be able to pick and choose from plentiful career opportunities in coming years, allowing their employers to enhance safety while driving massive gains in efficiency and productivity. Because of growing internet connectivity they will also be even more productive than their early peers confined to in-person operations management.