IT and OT are both very different complex systems. However, significant benefits have driven OT to be converged to IT. This results in IT security leaders, OT leaders and their teams' facing challenges in:
- Governing and managing IT and OT security and accountabilities.
- Converging security architecture and controls between IT and OT environments.
- Compliance with regulations and standards.
- Metrics for OT security effectiveness and efficiency.
Our Advice
Critical Insight
- Returning to isolated OT is not beneficial for the organization, therefore IT and OT need to learn to collaborate starting with communication to build trust and to overcome differences between IT and OT. Next, negotiation is needed on components such as governance and management, security controls on OT environments, compliance with regulations and standards, and metrics for OT security.
- Most OT incidents start with attacks against IT networks and then move laterally into the OT environment. Therefore, converging IT and OT security will help protect the entire organization.
- OT interfaces with the physical world while IT system concerns more on cyber world. Thus, the two systems have different properties. The challenge is how to create strategic collaboration between IT-OT based on negotiation and this needs top-down support.
Impact and Result
Info-Tech’s approach in preparing for IT/OT convergence in the planning phase is coordination and collaboration of IT and OT to
- initiate communication to define roles and responsibilities.
- establish governance and build cross-functional team.
- identify convergence components and compliance obligations.
- assess readiness.
Member Testimonials
After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve. See our top member experiences for this blueprint and what our clients have to say.
9.3/10
Overall Impact
$26,732
Average $ Saved
23
Average Days Saved
Client
Experience
Impact
$ Saved
Days Saved
NIPPON GASES EURO-HOLDING, SLU
Guided Implementation
10/10
$59,199
32
Utah Transit Authority
Guided Implementation
10/10
$12,999
20
Hard to say as we have barely started and with other projects taking priority at this time, it's difficult to get back on this.
RAND WATER
Workshop
8/10
$8,000
18
Clear understanding of the IT/OT landscape, and what the organization regards as IT/OT
Secure IT/OT Convergence
Create a holistic IT/OT security culture.
Analyst Perspective
Are you ready for secure IT/OT convergence?
IT/OT convergence is less of a convergence and more of a migration. The previously entirely separate OT ecosystem is migrating into the IT ecosystem, primarily to improve access via connectivity and to leverage other standard IT capabilities for economic benefit.
In the past, OT systems were engineered to be air gapped, relying on physical protection and with little or no security in design, (e.g. OT protocols without confidentiality properties). However, now, OT has become dependent on the IT capabilities of the organization, thus OT inherits IT’s security issues, that is, OT is becoming more vulnerable to attack from outside the system. IT/OT convergence is complex because the culture, policies, and rules of IT are quite foreign to OT processes such as change management, and the culture, policies, and rules of OT are likewise foreign to IT processes.
A secure IT/OT convergence can be conceived of as a negotiation of a strong treaty between two systems: IT and OT. The essential initial step is to begin with communication between IT and OT, followed by necessary components such as governing and managing OT security priorities and accountabilities, converging security controls between IT and OT environments, assuring compliance with regulations and standards, and establishing metrics for OT security.
Ida Siahaan
Research Director, Security and Privacy Practice Info-Tech Research Group |
Executive Summary
Your Challenge
IT and OT are both very different complex systems. However, significant benefits have driven OT to converge with IT. This results in IT security leaders, OT leaders, and their teams facing challenges with:
|
Common Obstacles
|
Info-Tech’s Approach
Info-Tech’s approach in preparing for IT/OT convergence (i.e. the Plan phase) is coordination and collaboration of IT and OT to:
|
Info-Tech Insight
Returning to isolated OT is not beneficial for the organization, so IT and OT need to learn to collaborate, starting with communication to build trust and to overcome their differences. Next, negotiation is needed on components such as governance and management, security controls on OT environments, compliance with regulations and standards, and establishing metrics for OT security.
Consequences of unsecure IT/OT convergence
OT systems were built with no or little security design
90% of organizations that use OT experienced a security incident. (Fortinet, 2021. Ponemon, 2019.) |
(Source: Fortinet, 2021.) |
Lack of visibility
86% of OT security-related service engagements lack complete visibility of OT network in 2021 (90% in 2020, 81% in 2019). (Source: “Cybersecurity Year In Review” Dragos, 2022.) |
The need for secure IT/OT convergence
Important Industrial Control System (ICS) cyber incidents
2000 Target: Australian sewage plant. Method: Insider attack. Impact: 265,000 gallons of untreated sewage released. |
2012 Target: Middle East energy companies. Method: Shamoon. Impact: Overwritten Windows-based systems files. |
2014 Target: German Steel Mill. Method: Spear-phishing. Impact: Blast furnace failed to shut down. |
2017 Target: Middle East safety instrumented system (SIS). Method: TRISIS/TRITON. Impact: Modified SIS ladder logic. |
2022 Target: Viasat’s KA-SAT network. Method: AcidRain. Impact: Significant loss of communication for the Ukrainian military, which relied on Viasat’s services. |
1903 Target: Marconi wireless telegraph presentation. Method: Morse code. Impact: Fake message sent “Rats, rats, rats, rats. There was a young fellow of Italy, Who diddled the public quite prettily.” |
2010 Target: Iranian uranium enrichment plant. Method: Stuxnet. Impact: Compromised programmable logic controllers (PLCs). |
2013 Target: ICS supply chain. Method: Havex. Impact: Remote Access Trojan (RAT) collected information and uploaded data to command-and-control (C&C) servers |
2016 Target: Ukrainian power grid. Method: BlackEnergy. Impact: For 1-6 hours, power outages for 230,000 consumers. |
2021 Target: Colonial Pipeline. Method: DarkSide ransomware. Impact: Compromised billing infrastructure halted the pipeline operation. |
(Source: US Department of Energy, 2018.
”Significant Cyber Incidents,” CSIS, 2022
MIT Technology Review, 2022.)
Info-Tech Insight
Most OT incidents start with attacks against IT networks and then move laterally into the OT environment. Therefore, converging IT and OT security will help protect the entire organization.
Case StudyHorizon Power |
INDUSTRY
|
SOURCE
|
Horizon Power is the regional power provider in Western Australia and stands out as a leader not only in the innovative delivery of sustainable power, but also in digital transformation. Horizon Power is quite mature in distributed energy resource management; moving away from centralized generation to decentralized, community-led generation, which reflects in its maturity in converging IT and OT. Horizon Power’s IT/OT convergence journey started over six years ago when advanced metering infrastructure (AMI) was installed across its entire service area – an area covering more than one quarter of the Australian continent. In these early days of the journey, the focus was on leveraging matured IT approaches such as adoption of cloud services to the OT environment, rather than converging the two. Many years later, Horizon Power has enabled OT data to be more accessible to derive business benefits such as customer usage data using data analytics with the objective of improving the collection and management of the OT data to improve business performance and decision making. The IT/OT convergence meets legislation such as the Australian Energy Sector Cyber Security Framework (AESCSF), which has impacts on the architectural layer of cybersecurity that support delivery of the site services. |
Results
The lessons learned in converging IT and OT from Horizon Power were:
|
The Secure IT/OT Convergence Framework
IT/OT convergence is less of a convergence and more of a migration. The previously entirely separate OT ecosystem is migrating onto the IT ecosystem, to improve access via the internet and to leverage other standard IT capabilities. However, IT and OT are historically very different, and without careful calculation, simply connecting the two systems will result in a problem. Therefore, IT and OT need to learn to live together starting with communication to build trust and to overcome differences between IT and OT.Convergence Elements
|
Target Groups
|
Security Components
|
Plan |
|
Governance Compliance |
Enhance |
|
Security strategy Risk management Security policies and procedures IR, DR, and BCP |
Monitor &
|
|
Awareness and cross-training Architecture and controls |
|
Plan Outcomes
|
Plan Benefits
|
Plan
Initiate communication
To initiate communication between the IT and OT teams, it is important to understand how the two groups are different and to build trust to find a holistic approach which overcomes those differences.
| Info-Tech InsightOT interfaces with the physical world while IT system concerns more on cyber world. Thus, the two systems have different properties. The challenge is how to create strategic collaboration between IT and OT based on negotiation, and this needs top-down support. Identifying organization goals is the first step in aligning your secure IT/OT convergence with your organization’s vision.
|
Map organizational goals to IT/OT security goals
Input: Corporate, IT, and OT strategies
Output: Your goals for the security strategy
Materials: Secure IT/OT Convergence Requirements Gathering Tool
Participants: Executive leadership, OT leader, IT leader, Security leader, Compliance, Legal, Risk management
- As a group, brainstorm organization goals.
- Review relevant corporate, IT, and OT strategies.
- Record the most important business goals in the Secure IT/OT Convergence Requirements Gathering Tool. Try to limit the number of business goals to no more than 10 goals. This limitation will be critical to helping focus on your secure IT/OT convergence.
- For each goal, identify one to two security alignment goals. These should be objectives for the security strategy that will support the identified organization goals.
Download the Secure IT/OT Convergence Requirements Gathering Tool
Record organizational goals
Refer to the Secure IT/OT Convergence Framework when filling in the following elements.
- Record your identified organization goals in the Goals Cascade tab of the Secure IT/OT Convergence Requirements Gathering Tool.
- For each of your organizational goals, identify IT alignment goals.
- For each of your organizational goals, identify OT alignment goals.
- For each of your organizational goals, select one to two IT/OT security alignment goals from the drop-down lists.
Establish scope and boundaries
It is important to know at the outset of the strategy: What are we trying to secure in IT/OT convergence ?
This includes physical areas we are responsible for, types of data we care about, and departments or IT/OT systems we are responsible for.
Physical Scope and Boundaries
|
IT Systems Scope and Boundaries
|
Organizational Scope and Boundaries
|
OT Systems Scope and Boundaries
|
Record scope and boundaries
Refer to the Secure IT/OT Convergence Framework when filling in the following elements:
|
Plan
Define roles and responsibilities
Input: List of relevant stakeholders
Output: Roles and responsibilities for the secure IT/OT convergence program
Materials: Secure IT/OT Convergence RACI Chart Tool
Participants: Executive leadership, OT leader, IT leader, Security leader
There are many factors that impact an organization’s level of effectiveness as it relates to IT/OT convergence. How the two groups interact, what skill sets exist, the level of clarity around roles and responsibilities, and the degree of executive support and alignment are only a few. Thus, it is imperative in the planning phase to identify stakeholders who are:
- Responsible: The people who do the work to accomplish the activity; they have been tasked with completing the activity and/or getting a decision made.
- Accountable: The person who is accountable for the completion of the activity. Ideally, this is a single person and will often be an executive or program sponsor.
- Consulted: The people who provide information. This is usually several people, typically called subject matter experts (SMEs).
- Informed: The people who are updated on progress. These are resources that are affected by the outcome of the activities and need to be kept up to date.
Download the Secure IT/OT Convergence RACI Chart Tool
Define RACI Chart
Define responsible, accountable, consulted, and informed (RACI) stakeholders.
|
Info-Tech Insight
The roles and responsibilities should be clearly defined. For example, IT network should be responsible for the communication and configuration of all access points and devices from the remote client to the control system DMZ, and controls engineering should be responsible from the control system DMZ to the control system. |
Plan
Establish governance and build cross-functional team
To establish governance and build an IT/OT cross-functional team, it is important to understand the operation of OT systems and their interactions with IT within the organization, e.g. ad hoc, centralized, decentralized.
Info-Tech Insight
To determine IT/OT convergence maturity level, Info-Tech provides the IT/OT Convergence Self-Evaluation Tool.
Centralized security governance model example
Plan
Identify convergence elements and compliance obligations
To switch the focus from confidentiality and integrity to safety and availability for OT system, it is important to have a common language such as the Purdue model for technical communication.
|
Level 5: Enterprise Network Level 4: Site Business Level 3.5: DMZ Level 3: Site Operations Level 2: Area Supervisory Control Level 1: Basic Control Level 0: Process |
Identify compliance obligations
To manage compliance obligations, it is important to use a platform which not only performs internal and external monitoring, but also provides third-party vendors with visibility on potential threats in their organization.
Source:
|
|
IEC/ISA 62443 - Security for Industrial Automation and Control Systems Series
International series of standards for asset owners, system integrators, and product manufacturers.(Source: Cooksley, 2021) |
|
Record your compliance obligations
Refer to the “Goals Cascade” tab of the Secure IT/OT Convergence Requirements Gathering Tool.
|