Across most industries, there's a wave of digital transformation under way. As it applies to OT/ICS, digital transformation efforts promise increased connectivity of industrial operations through intelligent sensors and industrial Internet of Things (IIoT) devices, which enable real-time data flow between OT and IT systems. The outcome of this transformation should include more comprehensive and timely monitoring, control, and optimization of industrial processes.
"Because IT/OT convergence enables organizations to streamline operations, reduce downtime, and develop new data-driven services and business models, the business drivers include cost optimization, predictive maintenance, and the need for agility and innovation," says Michael Farnum, field CISO at technology services firm Trace3.
Things are moving fast. In a 2022 report by the Ponemon Institute, 57% of respondents said that the pressure to achieve IT/OT convergence keeps OT leadership "awake at night." Much of that angst is driven by the security concerns that arise from IT/OT convergence.
"Because IT/OT convergence enables organizations to streamline operations, reduce downtime, and develop new data-driven services and business models, the business drivers include cost optimization, predictive maintenance, and the need for agility and innovation."
—Michael Farnum
Experts say the most significant challenges with convergence aren't technical, such as legacy OT systems, insecure remote access, or even air gap erosion. Instead, it's differing priorities and cultures between IT and OT teams and a resulting lack of collaboration that makes solving technical security issues even more challenging.
"The first mistake that many make is the false belief that OT and IT are the same thing, or that which will work in the IT space will work in the OT space," explained Michael Ruiz, general manager of cyber innovation at Honeywell Connected Enterprise. "I think there's still many who don't fully appreciate the differences and the complexities associated in OT environments," he added.
Reade Taylor, founder of cybersecurity services provider Cyber Command, said that such lack of appreciation or understanding drives the impulse to directly impose IT security strategies onto OT systems without addressing the operational differences. Taylor said he's witnessed first-hand how IT-focused protocols often jam OT environments' unique and real-time safety-critical needs, such as those found in manufacturing and industrial controls. "This oversight typically stems from a higher focus on data security rather than operational continuity," Taylor said.
Taylor also recalls a time when a utility company utilizing a unified OT/IT environment applied strict IT data controls on OT systems, and this had the unintended consequence of delaying response times within their critical infrastructure monitoring. "This experience illustrated the importance of designing security measures that fulfill the operational requirements of OT systems without constraining their functionality," Taylor said.
Farnum explained that while certain areas of OT environments are managed similarly to IT environments, when it comes to programmable logic controllers and specialized hardware, organizations need to find ways to put appropriate controls in place, such as tools that provide visibility and suitable device and network segmentation to reduce the addressable attack surface.
Asset visibility remains foundational to security in OT environments. Passive collection methods are preferred in order to reduce any potential operational impact and still identify assets, set networking baselines, and align known vulnerabilities with affected systems. Yet more and more, collections that involve active queries within native protocols in order to get a more complete understanding of assets and environment are coming into being. This approach helps reduce additional hardware costs, avoid downtime in sensitive environments, and obtain a more complete inspection of traffic. In converged environments, this also helps align IT and OT teams.
"Collaborative efforts between OT and IT teams must be put in place so that the siloed walls come down and OT and IT teams are fully enabled; otherwise, they will just spin their wheels in place," Farnum said.
To stop those wheels from spinning, experts advise establishing a governance program that defines clear roles, responsibilities, and practices to manage converged OT/IT systems. "Building an IT/OT working group to bring these teams together around the same table and working together to identify vulnerabilities and build solutions. For CISOs, simply making this a priority and facilitating this collaboration can go a long way toward improving OT security posture," said Sean Arrowsmith, director of industrials at NCC Group.
Such unification of teams is essential to avoid communication gaps and monitoring mishaps created through misunderstandings. Honeywell's Ruiz explains that mistakes are more likely to be made without such unification. For example, to attain adequate fault tolerance, some OT protocols rely on multiple devices that perform the same tasks using different MAC addresses but the same IP address. "In this case, the IT security analysts may suspect that they have an intruder or a rogue device on their network when the OT device is simply performing exactly how it's supposed to," he said.
Taylor warns that even when groups are merged or unified, it's crucial that typically siloed IT and OT management processes be incorporated effectively. Taylor advises a "unified operations center" that fosters ongoing communication and procedure sharing between IT and OT teams to enhance security postures and improve operational efficiency by synchronizing the management activities across differing technologies and workflows. "The key takeaway in effective IT and OT convergence is to maintain an open dialogue between the teams handling each domain, ensuring that the measures implemented are operation-specific and support the unique aspects of the systems being managed," Taylor said.
To successfully manage the convergence of OT/IT systems, Ruiz advises organizations to pick the best security management framework for their company, industry, and geography. For utilities within the US, that could be the North American Electric Reliability Corporation Critical Infrastructure Protection standards and regulations; in the UK, that could be NIS2. "These frameworks are good beginnings for creating the foundations of your program. For organizations without such regulation, find a framework suitable for your company, industry, and how you operate," Ruiz said.
George V. Hulme is an award-winning journalist and internationally recognized information security and business technology writer. He has covered business, technology, and IT security topics for more than 20 years. His work has appeared in CSOOnline, ComputerWorld, InformationWeek, Security Boulevard, and dozens of other technology publications. He is also a founding editor at DevOps.com.