“You need state-of-the-art IT technology, but you need to use it with OT practices and procedures.”
You need to understand the impact of any changes you make to controls and control systems in an OT environment. Before you make any change, it’s important to analyze what is going to be done, how it will affect systems and processes, who is going to authorize it, and who is responsible for testing the change. You also must verify that it is working correctly. Numerous procedural mechanisms are in place to verify changes before they reach the controller level and to validate them afterward.
It is different in the IT world, where system administrators can make changes but then risk losing traceability if they find new issues when passing systems from the test environment to production. As IT systems have become more complex and agile, IT has developed tools to monitor and track changes in the IT environment.
Now, as you begin to see more IoT control systems and devices spreading into the OT environment, you recognize some similarities between IT and OT, where a single administrator might be managing several devices. As you acquire more of these kinds of controllers and the life cycles for these control systems shorten, it’s necessary to have a procedure and a tool for tracking and configuration management. In some cases you can use the same tool for discovering device configurations and uploading changes to the device. These tools are similar to the tools used in the IT world, but they cannot be used in the same way in the OT environment because OT engineers cannot work the same way that IT system administrators can. You need state-of-the-art IT technology, but you need to use it with OT practices and procedures.
This is an excerpt from 7 Experts on Protecting OT Environments against Targeted
Cyber Attacks. This eBook was generously sponsored by PAS.