Great discussion
Not questions, but my $.02 on the matter if I was sitting in front of the group.
I would emphasize that IT/OT are one team with different tools and approaches. Then focus on requirements and look at security vulnerabilities and countermeasures from a risk perspective. Discuss the "CIA triangle", Confidentiality, Integrity, and Availability, and that OT often favors Availability whereas IT security is more used to the C and I.
For example, your organization may have PLCs with local HMI stations for status and control. You may have a business network where users are allowed remote access. You might also have a remote access requirement for PLC/HMI programming, which is more strict than remote access to the business network. On the OT/process side, you might have equipment that would be extremely dangerous to run without a safety operator physically in front of it, but business users need regular aggregate production reports with data sourced from it. The point is - there are lots of requirements from many stakeholders - get them out in the open.
You could imagine different ways to meet these requirements. From a security perspective, you might separate or segment your networks. IT can help with that - even providing secure remote access. OT/PLC folks can tackle process safety such as hardware disconnects and such. As a team, you might get crazy and "air gap" (physically separate networks), only transferring historical data through a one way "data diode". It might be enough to segment or layer your networks, with minimal touch points - such as the SCADA server talking to both sides via controlled interfaces. The point here is to agree on the implementation. For example, OT might point out that the super-secure IT solution presents cases that risk locking out users from performing their duties during operations - perhaps a "break glass" backdoor is warranted. IT might point out that the old/current way that OT uses phone dialers or Internet connected PCs is too risky - that VPNs provide more secure access.
In summary - "one team, one fight", and work together to best meet all of the organizational requirements with the best tools for the job. It sounds stupid, but I've seen numerous cases where, for purely political reasons or disagreement, one side tries to do the others' job without their support, which tends to lead to an epic fail.
Not questions, but my $.02 on the matter if I was sitting in front of the group.
I would emphasize that IT/OT are one team with different tools and approaches. Then focus on requirements and look at security vulnerabilities and countermeasures from a risk perspective. Discuss the "CIA triangle", Confidentiality, Integrity, and Availability, and that OT often favors Availability whereas IT security is more used to the C and I.
For example, your organization may have PLCs with local HMI stations for status and control. You may have a business network where users are allowed remote access. You might also have a remote access requirement for PLC/HMI programming, which is more strict than remote access to the business network. On the OT/process side, you might have equipment that would be extremely dangerous to run without a safety operator physically in front of it, but business users need regular aggregate production reports with data sourced from it. The point is - there are lots of requirements from many stakeholders - get them out in the open.
You could imagine different ways to meet these requirements. From a security perspective, you might separate or segment your networks. IT can help with that - even providing secure remote access. OT/PLC folks can tackle process safety such as hardware disconnects and such. As a team, you might get crazy and "air gap" (physically separate networks), only transferring historical data through a one way "data diode". It might be enough to segment or layer your networks, with minimal touch points - such as the SCADA server talking to both sides via controlled interfaces. The point here is to agree on the implementation. For example, OT might point out that the super-secure IT solution presents cases that risk locking out users from performing their duties during operations - perhaps a "break glass" backdoor is warranted. IT might point out that the old/current way that OT uses phone dialers or Internet connected PCs is too risky - that VPNs provide more secure access.
In summary - "one team, one fight", and work together to best meet all of the organizational requirements with the best tools for the job. It sounds stupid, but I've seen numerous cases where, for purely political reasons or disagreement, one side tries to do the others' job without their support, which tends to lead to an epic fail.
