Collaboration Challenges that Impact IoT Security
A foundational issue for cybersecurity in the built environment is the organizational friction generated from the increasing integration between two technological systems, Information Technology (IT) and Operational Technology (OT). This integration is often called IT/OT convergence. These two systems are embedded in the siloed institutional histories and work practices of the professional domains that historically managed the technologies of each system. OT is predominantly within the domain of engineering and skilled trades professions, often governed by a building’s Operations & Maintenance (O&M) department with manufacturing, installation, and maintenance companies that specialize in these systems. IT is a part of the computer science discipline and generally managed in an organization’s IT department, units with substantially different educational background and industry culture than O&M.
The siloed evolution of each set of technologies creates risk because it has generated very different management structures and occupational cultures and has facilitated a responsibility vacuum in organizations around the security of Internet of Things (IoT) devices. This means that any collaboration between O&M and IT departments is built upon a foundational misunderstanding of how each system operates. This misunderstanding then manifests in ways that appear to be diametrically opposed in the organizational cultures and practices of O&M and IT.
The responsibility vacuum negatively impacts IoT security as well as operational effectiveness. For example, historically OT did not require daily intervention to detect maintenance needs; however, IT requires daily human and automated support to identify vulnerabilities. The differing organizational cultures and work practices has led to conflicting expectations between O&M and IT on how and how often to intervene with IoT devices to ensure security and privacy and persistent difficulties in coordinating work and sharing information between O&M and IT teams. (See the table below for more examples of technological and organizational differences between OT and IT and their impact on IoT security.)
Differences between OT and IT systems and their impact on IoT risk*
Finding Collaborative Solutions that Fit Organizational and Policy Requirements
Members of the building industry and security systems industry have suggested that stronger collaboration between O&M and IT could mitigate convergence challenges related to IoT. However, improving collaboration requires having the opportunities and the communication skills needed to share expertise in meaningful ways and to determine the best pathways for coordinating work tasks, all of which need to fit the organizational and policy requirements that shape how and in what ways O&M and IT professionals work.
For example, organizations are currently adopting the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework to improve collaboration between IoT stakeholders and clarify IoT governance. In addition, the US Congress’s latest IoT bill H.R. 1668 continues to work its way through the legislative branch, and states, have also begun working on legislation that would impact IoT devices as well as privacy legislation appearing in some states, such as California’s A.B. 375. However, IoT-related public policy is in its infancy and questions still remain around how public policy affects professional daily practices and how, in turn, these practices affect implementation of these policies.
How This Research Will Help
While stronger collaboration between IT and O&M professionals may improve IoT security, there is little guidance on how to do this. To this end, this research will investigate how daily practices work within public policy and organizational frameworks as well as possible complications that these frameworks create for collaboration while also engaging the heart of the cultural and organizational challenges that impede IT and O&M collaboration. We do this through tracing the dynamic interactions between federal and state legal policies, formal organizational policies and procedures, and the informal daily work practices of O&M and IT as they implement and maintain IoT in higher education settings. We will identify what combination of these mechanisms, structures, and strategies support the collaborative work needed to bridge the IT/OT divide and improve collaboration around IoT cybersecurity.
*The table above was created based on the works of Hardin, Dave, Eric G. Stephan, Weimin Wang, Charles D. Corbin, and Steven E. Widergren. 2015. “Buildings Interoperability Landscape.” PNNL-25124. Richland, Washington: Pacific Northwest Regional Laboratory, U.S. Department of Energy. https://energy.gov/sites/prod/files/2016/01/f28/BuildingLandscapeReport.pdf; Chipley, Michael. 2017. “Cybersecurity.” Whole Building Design Guide. Last modified March 27, 2017. http://www.wbdg.org/resources/cybersecurity.php; and Freas, Benjamin. 2016. “How to Protect Corporate Building Networks From Cyber Attacks.” Forbes, September 13, 2016. http://www.forbes.com/sites/pikeresearch/2016/09/13/cybersecurity-and-intelligent-buildings/#d89ce1c3150a.