Insight by Tenable

Time to unite operational, information technology

One way to view federal facilities – buildings, Navy bases, manufacturing and test sites, for example – is as a collection of discrete but interdependent infrastructures. Systems including heating-air conditioning and ventilation (HVAC), data centers, electrical distribution combine with mission specific infrastructure such as manufacturing automation or shipboard fire control to for the whole.

Increasingly, agencies – like organizations in the private sector – are trying to consider the management of disparate systems in both buckets holistically. They understand that operational technology (OT) and information technology (IT) ultimately depend on one another for mission delivery. Without well managed HVAC, computer servers can overheat and fail. Operational systems are increasingly connected to IT systems for remote control and monitoring, which brings the cybersecurity challenge over from IT to OT.

Therefore from a strategic standpoint, growing numbers of organizations are finding, it makes sense to integrate management of OT and IT, especially from a cybersecurity standpoint. You can save money but more importantly, improve security and mission assurance.

But that brings challenges.

Typically, each system or subset “belongs” to a different group. The chief information officer is unlikely to have understanding of, much less control over, HVAC, process control or industrial manufacturing systems. Whomever maintains the plumbing and electricity probably never gets past the power supply in the data center.

So there are governance, human capital and training issues to work through in order to realize the efficiencies of the more streamlined approach.

Plus, the systems vary widely from a technical standpoint. A modern building control system may well run on an IP bus and therefore look and function very much like a data network. A manufacturing system, on the other hand, might use decades-old protocols on hardware designed to last equally long, unlike the servers, mobile devices, and network gear the IT staff replaces on three-year amortization schedules.

Federal News Network and Tenable convened a panel of federal experts to discuss these issues, and offer from-the-field experience in how they’ve worked the OT-IT convergence.

Tune into the video to learn the latest thinking in this important convergence and how – and why – you can get started at your agency.

Information Technology and Operational Technology Infrastructure

We re-strategized, and looked at who the players were in each of these areas that, as an OCIO shop, we normally did not play in. And what information would we require in order to bring these [operational systems] into our portfolio without increasing for adding undue risk to the operations.

The Risk Management Framework and Risk Assessment

There’s a considered effort in the Navy to begin to limit the number of disparate control systems or vendors that we use. Over the years it becomes unwieldy. There’s a similar story to the afloat environments and how we begin to standardize systems … as they further and further work towards this IT/OT convergence.

The OT and IT Convergence

Take an information security person and detail or assign them to an operational technology unit to learn the language, to learn the different operating procedures. And do vice versa. Take the operational technology people, and make them sit at a help desk for a while and deal with the questions they get. They’ll find [OT and IT] are very complimentary and synergistic.

Listen to the full show:

Panel of experts

  • Philip George

    Director of Cybersecurity, National Nuclear Security Administration

  • Chris Cleary

    Chief Information Security Officer, Department of the Navy

  • Marty Edwards

    Vice President, Operational Technology Security, Tenable

  • Tom Temin

    Host, The Federal Drive, Federal News Network

Sign up for breaking news alerts