Developing An Effective IT/OT Cybersecurity Convergence Strategy

Author photo: Sid Snitkin
By Sid Snitkin

Executive Overview

Today, most industrial companies have two separate cybersecurity programs. Cybersecurity professionals in the CIO’s organization ensure the security of corporate data, IT assets, networks, and business applications. Technical personnel in operations and engineering take care of the security of OT networks and assets.

Differences in IT and OT technologies, goals, and environments justified the development of separate security programs. But today’s siloed programs are leaving many plants at risk of a serious cyber incident. OT cybersecurity programs often lack the resources, expertise, and supporting technology to maintain defenses, manage attacks, and secure the new technologies being deployed in operating facilities. CISO efforts to manage security are also being hampered by the lack of OT system visibility and access.

This situation will only get worse unless companies act. The industrial cyber threat environment is already becoming more challenging with ransomware, sophisticated attacks like SolarWinds, and the explosion of digital transformation programs. These developments demand well-maintained, end-to-end security of all corporate activities and rapid detection and response to all anomalous events. While most industrial IT security programs have the cyber professionals and advanced security solutions to deal with these new challenges, many OT security programs are still struggling to achieve yesterday’s requirements.

IT/OT cybersecurity convergence offers a cost-effective way to address current and future OT security challenges. IT cyber professionals can fill critical resource and expertise gaps in OT security programs. Common cybersecurity processes can eliminate security gaps between IT and OT systems. Use of similar technologies can enhance visibility and incident response effectiveness.

While convergence offers many benefits, experience shows that combining IT and OT programs can be challenging. Successful convergence efforts have clear convergence goals and proven approaches for addressing critical issues like cultural differences and OT reluctance to use conventional IT security practices and technologies. This report presents some of the lessons learned by leading companies that are already on cybersecurity convergence journeys.

Industrial Cybersecurity Today

Industrial cybersecurity teams face an awesome set of responsibilities and challenges. IT security teams, which are often part of the CIO’s organization, are responsible for managing the security of a wide range of information processing technologies, including workstations, servers, networks, printers, websites, cloud applications, and mobile devices. This includes ensuring the confidentiality of all corporate information and the continuous availability of critical business systems and applications.

OT security teams are commonly assigned to specific facilities and commonly report to plant managers or corporate engineering managers. These people are responsible for ensuring the availability and integrity of control systems, SCADA systems, and a diverse collection of cyber physical systems like robots, packaging systems, etc. Managers expect them to prevent any cyber incidents that might impact safety, product quality, environmental compliance, or operational continuity.

While IT and OT security teams may collaborate on security of interfaces, decisions about OT security within facilities are generally made and funded locally, based on each site’s risk appetite, capabilities, and preferences.

Cybersecurity Is More Mature for IT

IT cybersecurity programs are generally more advanced than those in OT. Most IT cybersecurity programs include passive and active security technologies, comprehensive suites of security management solutions, and a team of cybersecurity professionals. These capabilities enable timely management of security updates, as well as rapid detection and response to anomalous events. Some large industrial companies also have security operations centers (SOCs) that leverage 3rd party threat intelligence and incident management support.

IT/OT Cybersecurity Convergence

The picture is quite different for industrial OT cybersecurity programs. While many sites recognize the need for OT cybersecurity, they rarely invest in more than the basic passive defensive technologies recommended by industry groups. Many also neglect the need to invest in people and solutions to maintain these defenses. Some have invested in anomaly and breach detection solutions, but they are primarily used to improve asset inventories. Few have the resources or expertise to deal with the anomalous message alerts that could help them reduce the impact of sophisticated attacks.

There are various reasons for today’s OT cybersecurity situation. Some managers discount the likelihood of sophisticated attacks and believe that basic defenses are enough. Others do not believe they can justify the additional costs for active defense. Regardless of the reason, the net effect is the money spent by industrial companies on OT cybersecurity products and services is typically less than 10 percent of that spent for IT cybersecurity.

 

Table of Contents

  • Executive Overview
  • Industrial Cybersecurity Today
  • Growing OT Cyber Risks Demand Action
  • Convergence Offers a Solution for OT Challenges
  • Setting an Appropriate Convergence Goal
  • Converging Security People
  • Converging Security Processes
  • Converging Security Technologies
  • Managing Converged Cybersecurity Programs
  • Recommendations

 

ARC Advisory Group clients can view the complete report at ARC Client Portal

If you would like to buy this report or obtain information about how to become a client, please  Contact Us

 

Engage with ARC Advisory Group

Representative End User Clients
Representative Automation Clients
Representative Software Clients