IT/OT convergence in manufacturing has created digital environments that have optimized operations and brought forth a wealth of data that helps decision-makers refine processes, predict failures, reduce downtime, and extract every bit of operating efficiency. Companies are making money, and saving money simultaneously, working both the firm’s top and bottom lines.
With convergence there is added risk to a manufacturing firm. In addition to being a key part of digital transformation initiatives, convergence has introduced a wealth of new smart sensors and connecting existing to the internet that was never designed with either connectivity or cybersecurity in mind.
CISOs, site operations leaders, and other OT security leaders must manage this risk, and doing so requires an operational checklist of must-haves from a strategic and operational standpoint. Let’s start at a high level with formulating one:
Starting from the top-down, executive ownership of converged IT/OT cybersecurity programs requires a CISO with access to other operations and engineering executives with buying power and decision-making responsibilities. Stakeholders from IT, OT, and operations in the enterprise should also be involved in governance of the overall program, with input around business objectives, compliance outcomes, regulatory, risk management, and procurement requirements also being vital to the operational checklist process.
Alignment on which industry and sector standards to be adopted is also a must. The NIST Cybersecurity Framework and NIST SP 800-82 Rev. 3: Guide to Operational Technology (OT) Security are considered the gold standard for program implementation, development, and maintenance for manufacturing. IEC 62443, which is specific to industrial control systems, should already be part and parcel to any mature cybersecurity program. IEC 62443 is crucial in converged environments because it standardizes the connections of the often disparate worlds of IT and OT, establishing cybersecurity requirements for industrial automation and control systems (IACS) with IT systems. The standards are a starting block for any serious organization’s cybersecurity program and should be used to measure success and identify gaps.
Risk assessments are an essential part of a manufacturing organization’s overall risk management strategy. It’s here where operational risk tolerance is defined and how the program is tailored with regard to anything from investments in innovative technology, continuous improvement initiatives, to incident response. Periodic assessments of the overall environment should be scheduled by IT risk assessment teams and conducted according to established standard frameworks, and all stakeholders (IT, OT and operations) must be involved in a course of action regarding analysis, mitigation, and remediation priorities. This step in an operational checklist requires an understanding of inward-facing risk such as unpatched vulnerabilities, known exploits, change and configuration management issues, IT/OT connectivity pathways as well as specific, active threats to the industry—manufacturing in this case.
Stakeholders must not only consider the business and regulatory aspects of a converged cybersecurity program for manufacturing but must engrain security into the culture and train personnel accordingly. This is challenging given that IT and OT teams have traditionally focused on differing objectives and managing different technology ecosystem platforms to now collectively get on the same page. IT prioritizes confidentiality, integrity, and availability as cybersecurity programs for the enterprise are mapped out. This singular focus can conflict with the goals and priorities of OT asset operators and engineers at manufacturing sites, whose main approach rests with availability and reliability of production processes, and the safety of operators and the general public. Uniting these stakeholders requires a deft touch, executive assistance, experience in both worlds and some political know-how to create a unified culture that enforces cybersecurity enterprise-wide (shop floor to top floor). Stakeholders can take a variety of approaches from cross-training IT and OT teams via security awareness programs and interning, to seeking out and nominating champions within business units and across sites who can proactively demonstrate the value of a cohesive security program.
The gap between IT and OT may not be the chasm it once was, and convergence has a role to play in uniting these once-disparate teams. Having a sound strategic operational checklist is key to getting a program off the ground and must be in place before operational discussions can be had and collective decisions made.
The overarching strategy must guide day-to-day cybersecurity operations of a converged IT/OT environment. For example, building a joint security operations center (SOC) may not be a Day 1 task, but it can be the North Star of a firm’s IT/OT security program. In the meantime, concentrate on creating policies that bridge the IT/OT divide and invest in the proper controls and supporting applications—especially for newly connected OT and cyber-physical systems (often this requires a healthy understanding and implementation of compensating controls).
Then, and only then, can one start having discussions about operational tasks such as gaining complete asset visibility at the shop floor and maintaining an ongoing inventory and proper cyber hygiene of connected OT and cyber-physical assets.
Visibility will enable the rest of your operational tasks, including managing exposures beyond just unpatched vulnerabilities, secure remote access, role-based access controls, and a zero-trust cyber program. Monitoring and detection capabilities are key and will inform your incident response coordination among all stakeholders. This capability will feed into incident response playbooks and business continuity plans.
Jim LaBonty is the retired Director and Head of Global Automation Engineering for Pfizer's Global Engineering & Technology division. In this role he primarily focused on establishing the strategic direction and harmonizing control system solutions across 42 manufacturing sites globally, including securing the development of Pfizer's COVID-19 vaccine. Previously, LaBonty held senior engineering and system architect roles at Rockwell Automation, Eli Lilly & Company, and Eastman Kodak Company. He now leverages his decades of experience to help firms with their corporate OT cyber strategy and global program execution, with the goal of protecting manufacturing.
