Our systems detected an issue with your IP. If you think this is an error please submit your concerns via our contact form.

Security icon

Secure IT/OT Convergence

Create a holistic IT/OT security culture.

IT and OT are both very different complex systems. However, significant benefits have driven OT to be converged to IT. This results in IT security leaders, OT leaders and their teams' facing challenges in:

  • Governing and managing IT and OT security and accountabilities.
  • Converging security architecture and controls between IT and OT environments.
  • Compliance with regulations and standards.
  • Metrics for OT security effectiveness and efficiency.

Our Advice

Critical Insight

  • Returning to isolated OT is not beneficial for the organization, therefore IT and OT need to learn to collaborate starting with communication to build trust and to overcome differences between IT and OT. Next, negotiation is needed on components such as governance and management, security controls on OT environments, compliance with regulations and standards, and metrics for OT security.
  • Most OT incidents start with attacks against IT networks and then move laterally into the OT environment. Therefore, converging IT and OT security will help protect the entire organization.
  • OT interfaces with the physical world while IT system concerns more on cyber world. Thus, the two systems have different properties. The challenge is how to create strategic collaboration between IT-OT based on negotiation and this needs top-down support.

Impact and Result

Info-Tech’s approach in preparing for IT/OT convergence in the planning phase is coordination and collaboration of IT and OT to

  • initiate communication to define roles and responsibilities.
  • establish governance and build cross-functional team.
  • identify convergence components and compliance obligations.
  • assess readiness.


Secure IT/OT Convergence Research & Tools

1. Secure IT/OT Convergence Storyboard – A step-by-step document that walks you through how to secure IT-OT convergence.

Info-Tech provides a three-phase framework of secure IT/OT convergence, namely Plan, Enhance, and Monitor & Optimize. The essential steps in Plan are to:

  • Initiate communication to define roles and responsibilities.
  • Establish governance and build a cross-functional team.
  • Identify convergence components and compliance obligations.
  • Assess readiness.

2. Secure IT/OT Convergence Requirements Gathering Tool – A tool to map organizational goals to secure IT-OT goals.

This tool serves as a repository for information about the organization, compliance, and other factors that will influence your IT/OT convergence.

3. Secure IT/OT Convergence RACI Chart Tool – A tool to identify and understand the owners of various IT/OT convergence across the organization.

A critical step in secure IT/OT convergence is populating a RACI (Responsible, Accountable, Consulted, and Informed) chart. The chart assists you in organizing roles for carrying out convergence steps and ensures that there are definite roles that different individuals in the organization must have. Complete this tool to assign tasks to suitable roles.


Member Testimonials

After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve. See our top member experiences for this blueprint and what our clients have to say.

9.3/10


Overall Impact

$26,732


Average $ Saved

23


Average Days Saved

Client

Experience

Impact

$ Saved

Days Saved

NIPPON GASES EURO-HOLDING, SLU

Guided Implementation

10/10

$59,199

32

Utah Transit Authority

Guided Implementation

10/10

$12,999

20

Hard to say as we have barely started and with other projects taking priority at this time, it's difficult to get back on this.

RAND WATER

Workshop

8/10

$8,000

18

Clear understanding of the IT/OT landscape, and what the organization regards as IT/OT


Secure IT/OT Convergence

Create a holistic IT/OT security culture.

Analyst Perspective

Are you ready for secure IT/OT convergence?

IT/OT convergence is less of a convergence and more of a migration. The previously entirely separate OT ecosystem is migrating into the IT ecosystem, primarily to improve access via connectivity and to leverage other standard IT capabilities for economic benefit.

In the past, OT systems were engineered to be air gapped, relying on physical protection and with little or no security in design, (e.g. OT protocols without confidentiality properties). However, now, OT has become dependent on the IT capabilities of the organization, thus OT inherits IT’s security issues, that is, OT is becoming more vulnerable to attack from outside the system. IT/OT convergence is complex because the culture, policies, and rules of IT are quite foreign to OT processes such as change management, and the culture, policies, and rules of OT are likewise foreign to IT processes.

A secure IT/OT convergence can be conceived of as a negotiation of a strong treaty between two systems: IT and OT. The essential initial step is to begin with communication between IT and OT, followed by necessary components such as governing and managing OT security priorities and accountabilities, converging security controls between IT and OT environments, assuring compliance with regulations and standards, and establishing metrics for OT security.

Photo of Ida Siahaan, Research Director, Security and Privacy Practice, Info-Tech Research Group. Ida Siahaan
Research Director, Security and Privacy Practice
Info-Tech Research Group

Executive Summary

Your Challenge

IT and OT are both very different complex systems. However, significant benefits have driven OT to converge with IT. This results in IT security leaders, OT leaders, and their teams facing challenges with:

  • Governing and managing IT and OT security and accountabilities.
  • Converging security architecture and controls between IT and OT environments.
  • Compliance with regulations and standards.
  • Metrics for OT security effectiveness and efficiency.
Common Obstacles
  • IT/OT network segmentation and remote access issues, as most OT incidents indicate that the attackers gained access through the IT network, followed by infiltration into OT networks.
  • OT proprietary devices and unsecure protocols use outdated systems which may be insecure by design.
  • Different requirements of OT and IT security – i.e. IT (confidentiality, integrity, and availability) vs. OT (safety, reliability, and availability).
Info-Tech’s Approach

Info-Tech’s approach in preparing for IT/OT convergence (i.e. the Plan phase) is coordination and collaboration of IT and OT to:

  • Initiate communication to define roles and responsibilities.
  • Establish governance and build a cross-functional team.
  • Identify convergence components and compliance obligations.
  • Assess readiness.

Info-Tech Insight

Returning to isolated OT is not beneficial for the organization, so IT and OT need to learn to collaborate, starting with communication to build trust and to overcome their differences. Next, negotiation is needed on components such as governance and management, security controls on OT environments, compliance with regulations and standards, and establishing metrics for OT security.

Consequences of unsecure IT/OT convergence

OT systems were built with no or little security design

90% of organizations that use OT experienced a security incident. (Fortinet, 2021. Ponemon, 2019.)

Bar graph comparing three years, 2019-2021, of four different OT security incidents: 'Ransomeware', 'Insider breaches', 'Phishing', and 'Malware'.
(Source: Fortinet, 2021.)
Lack of visibility

86% of OT security-related service engagements lack complete visibility of OT network in 2021 (90% in 2020, 81% in 2019). (Source: “Cybersecurity Year In Review” Dragos, 2022.)

The need for secure IT/OT convergence

Important Industrial Control System (ICS) cyber incidents

2000
Target: Australian sewage plant. Method: Insider attack. Impact: 265,000 gallons of untreated sewage released.
2012
Target: Middle East energy companies. Method: Shamoon. Impact: Overwritten Windows-based systems files.
2014
Target: German Steel Mill. Method: Spear-phishing. Impact: Blast furnace failed to shut down.
2017
Target: Middle East safety instrumented system (SIS). Method: TRISIS/TRITON. Impact: Modified SIS ladder logic.
2022
Target: Viasat’s KA-SAT network. Method: AcidRain. Impact: Significant loss of communication for the Ukrainian military, which relied on Viasat’s services.
Timeline of Important Industrial Control System (ICS) cyber incidents.
1903
Target: Marconi wireless telegraph presentation. Method: Morse code. Impact: Fake message sent “Rats, rats, rats, rats. There was a young fellow of Italy, Who diddled the public quite prettily.”
2010
Target: Iranian uranium enrichment plant. Method: Stuxnet. Impact: Compromised programmable logic controllers (PLCs).
2013
Target: ICS supply chain. Method: Havex. Impact: Remote Access Trojan (RAT) collected information and uploaded data to command-and-control (C&C) servers
2016
Target: Ukrainian power grid. Method: BlackEnergy. Impact: For 1-6 hours, power outages for 230,000 consumers.
2021
Target: Colonial Pipeline. Method: DarkSide ransomware. Impact: Compromised billing infrastructure halted the pipeline operation.

(Source: US Department of Energy, 2018.


”Significant Cyber Incidents,” CSIS, 2022


MIT Technology Review, 2022.)

Info-Tech Insight

Most OT incidents start with attacks against IT networks and then move laterally into the OT environment. Therefore, converging IT and OT security will help protect the entire organization.

Case Study

Horizon Power
Logo for Horizon Power.
INDUSTRY
Utilities
SOURCE
Interview

Horizon Power is the regional power provider in Western Australia and stands out as a leader not only in the innovative delivery of sustainable power, but also in digital transformation. Horizon Power is quite mature in distributed energy resource management; moving away from centralized generation to decentralized, community-led generation, which reflects in its maturity in converging IT and OT.

Horizon Power’s IT/OT convergence journey started over six years ago when advanced metering infrastructure (AMI) was installed across its entire service area – an area covering more than one quarter of the Australian continent.

In these early days of the journey, the focus was on leveraging matured IT approaches such as adoption of cloud services to the OT environment, rather than converging the two. Many years later, Horizon Power has enabled OT data to be more accessible to derive business benefits such as customer usage data using data analytics with the objective of improving the collection and management of the OT data to improve business performance and decision making.

The IT/OT convergence meets legislation such as the Australian Energy Sector Cyber Security Framework (AESCSF), which has impacts on the architectural layer of cybersecurity that support delivery of the site services.

Results

The lessons learned in converging IT and OT from Horizon Power were:

  • Start with forming relationships to build trust and overcome any divide between IT and OT.
  • Collaborate with IT and OT teams to successfully implement solutions, such as vulnerability management and discovery tools for OT assets.
  • Switch the focus from confidentiality and integrity to availability in solutions evaluation
  • Develop training and awareness programs for all levels of the organization.
  • Actively encourage visible sponsorship across management by providing regular updates and consistent messaging.
  • Monitor cybersecurity metrics such as vulnerabilities, mean time to treat vulnerabilities, and intrusion attempts.
  • Manage third-party vendors using a platform which not only performs external monitoring but provides third-party vendors with visibility or potential threats in their organization.

The Secure IT/OT Convergence Framework

IT/OT convergence is less of a convergence and more of a migration. The previously entirely separate OT ecosystem is migrating onto the IT ecosystem, to improve access via the internet and to leverage other standard IT capabilities. However, IT and OT are historically very different, and without careful calculation, simply connecting the two systems will result in a problem. Therefore, IT and OT need to learn to live together starting with communication to build trust and to overcome differences between IT and OT.
Convergence Elements
  • Process convergence
  • Software and data convergence
  • Network and infrastructure convergence
Target Groups
  • OT leader and teams
  • IT leader and teams
  • Security leader and teams
Security Components
  • Governance and compliance
  • Security strategy
  • Risk management
  • Security policies
  • IR, DR, BCP
  • Security awareness and training
  • Security architecture and controls

Plan

  • Initiate communication
  • Define roles and responsibilities
  • Establish governance and build a cross-functional team
  • Identify convergence elements and compliance obligations
  • Assess readiness

Governance

Compliance

Enhance

  • Update security strategy for IT/OT convergence
  • Update risk-management framework for IT/OT convergence
  • Update security policies and procedures for IT/OT convergence
  • Update incident response, disaster recovery, and business continuity plan for IT/OT convergence

Security strategy

Risk management

Security policies and procedures

IR, DR, and BCP

Monitor &
Optimize

  • Implement awareness, induction, and cross-training program
  • Design and deploy converging security architecture and controls
  • Establish and monitor IT/OT security metrics on effectiveness and efficiency
  • Red-team followed by blue-team activity for cross-functional team building

Awareness and cross-training

Architecture and controls

Phases
Color-coded phases with arrows looping back up from the bottom to top phase.
  • Plan
  • Enhance
  • Monitor & Optimize
Plan Outcomes
  • Mapping business goals to IT/OT security goals
  • RACI chart for priorities and accountabilities
  • Compliance obligations register
  • Readiness checklist
Enhance Outcomes
  • Security strategy for IT/OT convergence
  • Risk management framework
  • Security policies & procedures
  • IR, DR, BCP
Monitor & Optimize Outcomes
  • Security awareness and training
  • Security architecture and controls
Plan Benefits
  • Improved flexibility and less divided IT/OT
  • Improved compliance
Enhance Benefits
  • Increased strategic common goals
  • Increased efficiency and versatility
Monitor & Optimize Benefits
  • Enhanced security
  • Reduced costs

Plan

Initiate communication

To initiate communication between the IT and OT teams, it is important to understand how the two groups are different and to build trust to find a holistic approach which overcomes those differences.
IT OT
Remote Access Well-defined access control Usually single-level access control
Interfaces Human Machine, equipment
Software ERP, CRM, HRIS, payroll SCADA, DCS
Hardware Servers, switches, PCs PLC, HMI, sensors, motors
Networks Ethernet Fieldbus
Focus Reporting, communication Up-time, precision, safety
Change management Frequent updates and patches Infrequent updates and patches
Security Confidentiality, integrity, availability Safety, reliability, availability
Time requirement Normally not time critical Real time

Info-Tech Insight

OT interfaces with the physical world while IT system concerns more on cyber world. Thus, the two systems have different properties. The challenge is how to create strategic collaboration between IT and OT based on negotiation, and this needs top-down support.

Identifying organization goals is the first step in aligning your secure IT/OT convergence with your organization’s vision.

  • Security leaders need to understand the direction the organization is headed in.
  • Wise security investments depend on aligning your security initiatives to the organization.
  • Secure IT/OT convergence should contribute to your organization’s objectives by supporting operational performance and ensuring brand protection and shareholder value.

Map organizational goals to IT/OT security goals

Input: Corporate, IT, and OT strategies

Output: Your goals for the security strategy

Materials: Secure IT/OT Convergence Requirements Gathering Tool

Participants: Executive leadership, OT leader, IT leader, Security leader, Compliance, Legal, Risk management

  1. As a group, brainstorm organization goals.
    1. Review relevant corporate, IT, and OT strategies.
  2. Record the most important business goals in the Secure IT/OT Convergence Requirements Gathering Tool. Try to limit the number of business goals to no more than 10 goals. This limitation will be critical to helping focus on your secure IT/OT convergence.
  3. For each goal, identify one to two security alignment goals. These should be objectives for the security strategy that will support the identified organization goals.

Download the Secure IT/OT Convergence Requirements Gathering Tool

Record organizational goals

Sample of the definitions table with columns numbered 1-4.

Refer to the Secure IT/OT Convergence Framework when filling in the following elements.

  1. Record your identified organization goals in the Goals Cascade tab of the Secure IT/OT Convergence Requirements Gathering Tool.
  2. For each of your organizational goals, identify IT alignment goals.
  3. For each of your organizational goals, identify OT alignment goals.
  4. For each of your organizational goals, select one to two IT/OT security alignment goals from the drop-down lists.

Establish scope and boundaries

It is important to know at the outset of the strategy: What are we trying to secure in IT/OT convergence ?
This includes physical areas we are responsible for, types of data we care about, and departments or IT/OT systems we are responsible for.

This also includes what is not in scope. For some outsourced services or locations, you may not be responsible for their security. In some business departments, you may not have control of security processes. Ensure that it is made explicit at the outset what will be included and what will be excluded from security considerations.

Physical Scope and Boundaries

  • How many offices and locations does your organization have?
  • Which locations/offices will be covered by your information security management system (ISMS)?
  • How sensitive is the data residing at each location?
  • You may have many physical locations, and it is not necessary to list each one. Rather, list exceptional cases that are specifically in or out of scope.

IT Systems Scope and Boundaries

  • There may be hundreds of applications that are run and maintained in your organization. Some of these may be legacy applications. Do you need to secure all your programs or only a select few?
  • Is the system owned or outsourced?
  • Where are you accountable for security?
  • How sensitive is the data that each system handles?

Organizational Scope and Boundaries

  • Will your ISMS cover all departments within your organization? For example, do certain departments (e.g. operations) not need any security coverage?
  • Do you have the ability to make security decisions for each department?
  • Who are the key stakeholders/data owners for each department?

OT Systems Scope and Boundaries

  • There may be hundreds of OT systems that are run and maintained in your organization. Do you need to secure all OT or a select subset?
  • Is the system owned or outsourced?
  • Where are you accountable for safety and security?
  • What reliability requirements does each system handle?

Record scope and boundaries

Sample Scope and Boundaries table. Refer to the Secure IT/OT Convergence Framework when filling in the following elements:
  • Record your security-related organizational scope, physical location scope, IT systems scope, and OT systems scope in the Scope tab of the Secure IT/OT Convergence Requirements Gathering Tool.
  • For each item scoped, give the rationale for including it in the comments column. Careful attention should be paid to any elements that are not in scope.

Plan

Define roles and responsibilities

Input: List of relevant stakeholders

Output: Roles and responsibilities for the secure IT/OT convergence program

Materials: Secure IT/OT Convergence RACI Chart Tool

Participants: Executive leadership, OT leader, IT leader, Security leader

There are many factors that impact an organization’s level of effectiveness as it relates to IT/OT convergence. How the two groups interact, what skill sets exist, the level of clarity around roles and responsibilities, and the degree of executive support and alignment are only a few. Thus, it is imperative in the planning phase to identify stakeholders who are:

  • Responsible: The people who do the work to accomplish the activity; they have been tasked with completing the activity and/or getting a decision made.
  • Accountable: The person who is accountable for the completion of the activity. Ideally, this is a single person and will often be an executive or program sponsor.
  • Consulted: The people who provide information. This is usually several people, typically called subject matter experts (SMEs).
  • Informed: The people who are updated on progress. These are resources that are affected by the outcome of the activities and need to be kept up to date.

Download the Secure IT/OT Convergence RACI Chart Tool

Define RACI Chart

Sample RACI chart with only the 'Plan' section enlarged.

Define responsible, accountable, consulted, and informed (RACI) stakeholders.
  1. Customize the "work units" to best reflect your operation with applicable stakeholders.
  2. Customize the "action“ rows as required.
Info-Tech Insight

The roles and responsibilities should be clearly defined. For example, IT network should be responsible for the communication and configuration of all access points and devices from the remote client to the control system DMZ, and controls engineering should be responsible from the control system DMZ to the control system.

Plan

Establish governance and build cross-functional team

To establish governance and build an IT/OT cross-functional team, it is important to understand the operation of OT systems and their interactions with IT within the organization, e.g. ad hoc, centralized, decentralized.

The maturity ladder with levels 'Fully Converged', 'Collaborative Partners', 'Trusted Resources', 'Affiliated Entities', and 'Siloed' at the bottom. Each level has four maturity indicators listed.

Info-Tech Insight

To determine IT/OT convergence maturity level, Info-Tech provides the IT/OT Convergence Self-Evaluation Tool.

Centralized security governance model example

Example of a centralized security governance model.

Plan

Identify convergence elements and compliance obligations

To switch the focus from confidentiality and integrity to safety and availability for OT system, it is important to have a common language such as the Purdue model for technical communication.
  • A lot of OT compliance standards are technically focused and do not address governance and management, e.g. IT standards like the NIST Cybersecurity Framework. For example, OT system modeling with Purdue model will help IT teams to understand assets, networking, and controls. This understanding is needed to know the possible security solutions and where these solutions could be embedded to the OT system with respect to safety, reliability, and availability.
  • However, deployment of technical solutions or patches to OT system may nullify warranty, so arrangements should be made to manage this with the vendor or manufacturer prior to modification.
  • Finally, OT modernizations such as smart grid together with the advent of IIoT where data flow is becoming less hierarchical have encouraged the birth of a hybrid Purdue model, which maintains segmentation with flexibility for communications.

Level 5: Enterprise Network

Level 4: Site Business

Level 3.5: DMZ
Example: Patch Management Server, Application Server, Remote Access Server

Level 3: Site Operations
Example: SCADA Server, Engineering Workstation, Historian

Level 2: Area Supervisory Control
Example: SCADA Client, HMI

Level 1: Basic Control
Example: Batch Controls, Discrete Controls, Continuous Process Controls, Safety Controls, e.g. PLCs, RTUs

Level 0: Process
Example: Sensors, Actuators, Field Devices

(Source: “Purdue Enterprise Reference Architecture (PERA) Model,” ISA-99.)

Identify compliance obligations

To manage compliance obligations, it is important to use a platform which not only performs internal and external monitoring, but also provides third-party vendors with visibility on potential threats in their organization.
Example table of compliance obligations standards. Example tables of compliance obligations regulations and guidelines.

Source:
ENISA, 2013
DHS, 2009.

  • OT system has compliance obligations with industry regulations and security standards/regulations/guidelines. See the lists given. The lists are not exhaustive.
  • OT system owner can use the standards/regulations/guidelines as a benchmark to determine and manage the security level provided by third parties.
  • It is important to understand the various frameworks and to adhere to the appropriate compliance obligations, e.g. IEC/ISA 62443 - Security for Industrial Automation and Control Systems Series.

IEC/ISA 62443 - Security for Industrial Automation and Control Systems Series

International series of standards for asset owners, system integrators, and product manufacturers.
Diagram of the international series of standards for asset owners.
(Source: Cooksley, 2021)
  • IEC/ISA 62443 is a comprehensive international series of standards covering security for ICS systems, which recognizes three roles, namely: asset owner, system integrator, and product manufacturer.
  • In IEC/ISA 62443, requirements flow from the asset owner to the product manufacturer, while solutions flow in the opposite direction.
  • For the asset owner who owns and operates a system, IEC 62443-2 enables defining target security level with reference to a threat level and using the standard as a benchmark to determine the current security level.
  • For the system integrator, IEC 62443-3 assists to evaluate the asset owner’s requirements to create a system design. IEC 62443-3 also provides a method for verification that components provided by the product manufacturer are securely developed and support the functionality required.

Record your compliance obligations

Refer to the “Goals Cascade” tab of the Secure IT/OT Convergence Requirements Gathering Tool.
  1. Identify your compliance obligations. Most organizations have compliance obligations that must be adhered to. These can include both mandatory and voluntary obligations. Mandatory obligations include:
    1. Laws
    2. Government regulations
    3. Industry standards
    4. Contractual agreements
    Voluntary obligations include standards that the organization has chosen to follow for best practices and any obligations that are required to maintain certifications. Organizations will have many different compliance obligations. For the purposes of your secure IT/OT convergence, include only those that have OT security requirements.
  2. Record your compliance obligations, along with any notes, in your copy of the Secure IT/OT Convergence Requirements Gathering Tool.
  3. Refer to the “Compliance DB” tab for lists of standards/regulations/guidelines.
Table of mandatory and voluntary security compliance obligations.
Secure IT/OT Convergence preview picture

About Info-Tech

Info-Tech Research Group is the world’s fastest-growing information technology research and advisory company, proudly serving over 30,000 IT professionals.

We produce unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. We partner closely with IT teams to provide everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.

MEMBER RATING

9.3/10
Overall Impact

$26,732
Average $ Saved

23
Average Days Saved

After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.

Read what our members are saying

What Is a Blueprint?

A blueprint is designed to be a roadmap, containing a methodology and the tools and templates you need to solve your IT problems.

Each blueprint can be accompanied by a Guided Implementation that provides you access to our world-class analysts to help you get through the project.

Talk to an Analyst

Our analyst calls are focused on helping our members use the research we produce, and our experts will guide you to successful project completion.

Book an Analyst Call on This Topic

You can start as early as tomorrow morning. Our analysts will explain the process during your first call.

Get Advice From a Subject Matter Expert

Each call will focus on explaining the material and helping you to plan your project, interpret and analyze the results of each project step, and set the direction for your next project step.

Unlock Sample Research

Authors

Robert Dang

Jing Wu

Mike Schembri

William Wong

Ida Siahaan

Contributors

Jeff Campbell, Manager, Technology Shared Services, Horizon Power, AU

Christopher Harrington, Chief Technology Officer (CTO), Carolinas Telco Federal Credit Union

Frank DePaola, Vice President, Chief Information Security Officer (CISO), Enpro

Kwasi Boakye-Boateng, Cybersecurity Researcher, Canadian Institute for Cybersecurity

Visit our Exponential IT Research Center
Over 100 analysts waiting to take your call right now: 1-519-432-3550 x2019