OT vs IT

OT vs IT approach to patch and vulnerability management

Author
Jon Cormack
Published
July 25, 2023
T

he special nature of OT environments and control systems requires additional care and attention when performing patching and vulnerability remediation that is not required when working in IT systems. Operations play a critical role and must have final say for starting all patching activities if there is an possible impact determined by a change impact analysis.



In control systems and OT environments, special care and consideration must be provided to ensure critical defects and vulnerabilities are remediated in an a safe and controlled manner. Systems Administrators for OT environments must understand the nature of their patching, as well as the scope of impact in relation to the business processes. In order to achieve a high level of cohesion with business users and still meet IT/OT requirements for security and patch management, administrators must have a high degree of understanding and respect for operations, scope of impact for requested changes and an in-depth knowledge of system configuration and functionality.


Change impact assessments are a critical part of OT system maintenance and are often minimal in scope for IT environments. Since there are often fewer operational intricacies playing a role in IT systems, less care and consideration is given to the deployment of patches or fixes. They are often deployed at a pre-scheduled time with little concern for the current state of the state of the Gas or Electric transmission and distribution grid, weather, and ongoing operations


Various standards have been created for OT systems and control environments that reflect the critical nature of vulnerability and patch management.

  • ISA/IEC TR 62443-2-3
  • NIST SP 800-40 Rev. 4
  • NERC CIP-007-6 (System Security Management)
  • NERC CIP-010-1 (Configuration and Change Management and Vulnerability Assessments)
  • Security Directive Pipeline-2021-02C
Various standards have been created for OT systems and control environments that reflect the critical nature of vulnerability and patch management. - Jon Cormack Universe

In the realm of patch and vulnerability management, comprehending business operations is paramount. Administrators must be well-versed in the intricacies of day-to-day processes and how they interact with the control systems. By gaining this comprehensive understanding, they can tailor their patching and remediation plans to minimize disruptions and optimize efficiency. Balancing IT/OT requirements for security with the needs of business users ensures a seamless alignment between technology and operations, bolstering the overall resilience of the organization.

When the time comes to execute patching and remediation plans, business users hold the reins during the critical go/no-go call. Their invaluable input and insights into ongoing operations play a vital role in the decision-making process. This collaborative approach fosters a culture of trust and cooperation between IT and OT teams, ensuring that the chosen path forward is both secure and compatible with business continuity. In this joint effort, business users' perspectives are highly valued, leading to more effective and successful outcomes.

In the realm of patch and vulnerability management, bridging the gap between business processes and IT processes is an absolute necessity. By adhering to established standards while considering the impact on vital business operations, administrators can forge a resilient path to secure both IT and OT environments. Embracing a collaborative approach with business users during critical decision-making moments ensures that the organization moves forward with confidence, fully safeguarded against threats while maintaining uninterrupted productivity. Together, we can harness the power of IT and OT in harmony, securing a brighter and safer digital future for all.

Jon Cormack

Get In Touch

Let's work together!

If you would like to work with us or just want to get in touch, we’d love to hear from you!

1 (612) 642-1595