By Sid Snitkin
There are plenty of industrial organizations that still view IT and OT cybersecurity as unique issues to address, yet the need for convergence has never been more important.
Attackers are able to exploit the security gaps between IT and OT technologies exactly because those responsible for their defense have different priorities and practices.
Successful IT/OT cybersecurity convergence requires close cooperation between previously siloed departments. While challenging to achieve, bringing IT and OT together under an integrated security strategy will eliminate security gaps and reduce the organization’s overall cyber risk.
IT groups have traditionally taken care of critical business applications and related IT cybersecurity, while process control and OT cybersecurity were the domain of engineering and operations. Clear and understandable differences in technology and environmental constraints were used to justify siloed cybersecurity strategies.
Frustrated with high costs and innovation constraints, industrial companies are increasing their use of IT-based technologies within OT systems. Supervisory applications and historical data are being migrated to the cloud. Legacy proprietary process controllers and networks are being replaced with standards-based commercial hardware and software products.
Digital transformation initiatives are changing the nature of industrial IT. Asset management, supply chain, and production operations groups are leveraging powerful, cloud-based analytics and AI packages to drive improvements. Shadow IT efforts require new networking solutions with access to edge devices and deep connectivity into IT and OT systems.
These technology developments and new business initiatives are pushing the need for convergence to the forefront. IT is recognizing the need for greater OT support, while shifts in technology are forcing OT to seek out IT expertise. As you can see, the emerging IT/OT landscape increases the need for deeper collaboration and knowledge sharing between the two groups.
Consolidating IT and OT cybersecurity efforts clarifies responsibilities and eliminates security gaps. It also ensures consistent security levels across the entire organization and reduces overall cyber risk.
To be effective, a converged IT-OT cybersecurity program should include centralized oversight of all the organization’s cyber security efforts with the authority to implement key objectives. This can be implemented through formal organizational changes or virtual teams of people who work in IT groups, OT groups, and security operations centers (SOCs). Integration of third parties with specific capabilities should also be anticipated to address the realities of ongoing shortages in cybersecurity professionals. The chief information security officer (CISO), or someone else in top management, should have responsibility for overall coordination and board of director (BoD) reporting.
While there are significant benefits to converging IT and OT cyber security strategies, don’t expect it to be easy.
Organizations need to anticipate and prepare for changes in their existing people, processes, and technology practices. Here are some initiatives that companies can use to ease the transition:
• Establish cross-trained site teams to handle routine security hygiene
• Create a global support network with IT and OT experts to deal with more complex cyber issues like malware intrusions, and anomalous behavior
• Update key IT / OT cybersecurity processes from vulnerability management to incident management
• Ensure compliance with corporate policies
• Integrate cybersecurity technology to enable coordinated cybersecurity management
IT and OT may require different tools, but they need to be compatible and fully-integrated in key areas like asset inventories, endpoint and network protection, security monitoring and reporting, and secure remote access.
Beyond the technical challenges, cultural issues such as overcoming distrust between the two groups can be a big hurdle all on its own. Methods that might ease the transition include workshops designed to reconcile perspectives, and cross-pollination of groups to build bridges and re-establish trust.
Sid Snitkin is vice president and cyber security domain expert at the Dedham, MA-based ARC Advisory Group. Click here to view the entire column.