In a successful marriage, each partner understands what the other needs-and what they can't tolerate. Industrial cybersecurity requires the same sort of partnership, in this case between the operational technology (OT) and information technology (IT) teams. IT contributes the cybersecurity tools and skills. OT brings an understanding of each asset, its impact on the business, and when it can be taken down without affecting safety or production. Neither team can succeed alone.

In our work with manufacturers and critical infrastructure providers around the world, we've seen that OT and IT teams often have biases that can derail collaboration. In this blog I'll explain these misunderstandings and how to overcome them to protect industrial networks.

OT bias: "Cybersecurity is just another engineering task"

Cybersecurity is a relatively new concern for OT teams, who might see it as "yet another constraint." Industrial control systems (ICS) engineers have dealt with complex process controls for years. Understandably, they tend to assume that cybersecurity is just one more. In their view, OT cybersecurity can be added early when designing an industrial project and managed in the same way as safety or reliability.

They are not wrong-but they need to be aware of important differences. For example, where electrical systems designs can be good for decades, new cyber threats pop up every day. Attackers have the motive (money) and the opportunity (a growing set of tactics and software) to find and exploit the weakest link in industrial networks. Cybersecurity requires continuous improvement to cope with the fast pace of change.

Our recommendations for OT teams:

• When designing new production infrastructures, loop in your IT colleagues very early in the design stage. Explain any constraints, such as uptime requirements, and ask for their cybersecurity recommendations. Work together to make your OT system "secure by design."
• Ask IT to regularly assess workstation hardware and software for vulnerabilities. The Wannacry ransomware attack targeted workstations running Windows XP, introduced in 2001. Where decades-old control system designs might still be relevant, old computer systems require modern security protections.
• As for safety and reliability engineering, invest in skills, people, and processes. Plan for cybersecurity upfront-not as an afterthought. Make it a priority to train every ICS engineer. Regularly assess and remediate risks.
• Stay current on new threats. Criminal organizations are never short of ideas. Keeping an eye on new attack tactics and techniques will help you engineer stronger OT processes and systems.

IT bias: "We'll just copy-paste what we did for IT applications"

IT teams might think they can apply the same security practices to OT systems that they use for enterprise applications like email. They're also biased toward making IT the sole administrator of OT systems, reducing the risk of stolen credentials or configuration changes that could introduce vulnerabilities.

Both biases cause big problems. Take patching. While most IT systems can be briefly taken down for security patching, many OT systems can't. OT is about producing goods and services 24 hours a day, seven days a week. A furnace operating at 1300