IT and OT are both very different complex systems. However, significant benefits have driven OT to converge with IT. This results in IT security leaders, OT leaders, and their teams facing challenges with:

• Governing and managing IT and OT security and accountabilities.
• Converging security architecture and controls between IT and OT environments.
• Compliance with regulations and standards.
• Metrics for OT security effectiveness and efficiency.

• IT/OT network segmentation and remote access issues, as most OT incidents indicate that the attackers gained access through the IT network, followed by infiltration into OT networks.
• OT proprietary devices and unsecure protocols use outdated systems which may be insecure by design.
• Different requirements of OT and IT security – i.e. IT (confidentiality, integrity, and availability) vs. OT (safety, reliability, and availability).

Info-Tech’s approach in preparing for IT/OT convergence (i.e. the Plan phase) is coordination and collaboration of IT and OT to:

• Initiate communication to define roles and responsibilities.
• Establish governance and build a cross-functional team.
• Identify convergence components and compliance obligations.
• Assess readiness.

90% of organizations that use OT experienced a security incident. (Fortinet, 2021. Ponemon, 2019.)

86% of OT security-related service engagements lack complete visibility of OT network in 2021 (90% in 2020, 81% in 2019). (Source: “Cybersecurity Year In Review” Dragos, 2022.)

Case Study

INDUSTRY
Utilities

SOURCE
Interview

Horizon Power is the regional power provider in Western Australia and stands out as a leader not only in the innovative delivery of sustainable power, but also in digital transformation. Horizon Power is quite mature in distributed energy resource management; moving away from centralized generation to decentralized, community-led generation, which reflects in its maturity in converging IT and OT.

Horizon Power’s IT/OT convergence journey started over six years ago when advanced metering infrastructure (AMI) was installed across its entire service area – an area covering more than one quarter of the Australian continent.

In these early days of the journey, the focus was on leveraging matured IT approaches such as adoption of cloud services to the OT environment, rather than converging the two. Many years later, Horizon Power has enabled OT data to be more accessible to derive business benefits such as customer usage data using data analytics with the objective of improving the collection and management of the OT data to improve business performance and decision making.

The IT/OT convergence meets legislation such as the Australian Energy Sector Cyber Security Framework (AESCSF), which has impacts on the architectural layer of cybersecurity that support delivery of the site services.

The lessons learned in converging IT and OT from Horizon Power were:

• Start with forming relationships to build trust and overcome any divide between IT and OT.
• Collaborate with IT and OT teams to successfully implement solutions, such as vulnerability management and discovery tools for OT assets.
• Switch the focus from confidentiality and integrity to availability in solutions evaluation
• Develop training and awareness programs for all levels of the organization.
• Actively encourage visible sponsorship across management by providing regular updates and consistent messaging.
• Monitor cybersecurity metrics such as vulnerabilities, mean time to treat vulnerabilities, and intrusion attempts.
• Manage third-party vendors using a platform which not only performs external monitoring but provides third-party vendors with visibility or potential threats in their organization.

• Process convergence
• Software and data convergence
• Network and infrastructure convergence

• OT leader and teams
• IT leader and teams
• Security leader and teams

• Governance and compliance
• Security strategy
• Risk management
• Security policies
• IR, DR, BCP
• Security awareness and training
• Security architecture and controls

Plan

• Initiate communication
• Define roles and responsibilities
• Establish governance and build a cross-functional team
• Identify convergence elements and compliance obligations
• Assess readiness

Governance

Compliance

Enhance

• Update security strategy for IT/OT convergence
• Update risk-management framework for IT/OT convergence
• Update security policies and procedures for IT/OT convergence
• Update incident response, disaster recovery, and business continuity plan for IT/OT convergence

Security strategy

Risk management

Security policies and procedures

IR, DR, and BCP

Monitor &
Optimize

• Implement awareness, induction, and cross-training program
• Design and deploy converging security architecture and controls
• Establish and monitor IT/OT security metrics on effectiveness and efficiency
• Red-team followed by blue-team activity for cross-functional team building

Awareness and cross-training

Architecture and controls

• Mapping business goals to IT/OT security goals
• RACI chart for priorities and accountabilities
• Compliance obligations register
• Readiness checklist

• Security strategy for IT/OT convergence
• Risk management framework
• Security policies & procedures
• IR, DR, BCP

• Security awareness and training
• Security architecture and controls

• Improved flexibility and less divided IT/OT
• Improved compliance

• Increased strategic common goals
• Increased efficiency and versatility

• Enhanced security
• Reduced costs

Info-Tech Insight

OT interfaces with the physical world while IT system concerns more on cyber world. Thus, the two systems have different properties. The challenge is how to create strategic collaboration between IT and OT based on negotiation, and this needs top-down support.

Identifying organization goals is the first step in aligning your secure IT/OT convergence with your organization’s vision.

• Security leaders need to understand the direction the organization is headed in.
• Wise security investments depend on aligning your security initiatives to the organization.
• Secure IT/OT convergence should contribute to your organization’s objectives by supporting operational performance and ensuring brand protection and shareholder value.

Physical Scope and Boundaries

• How many offices and locations does your organization have?
• Which locations/offices will be covered by your information security management system (ISMS)?
• How sensitive is the data residing at each location?
• You may have many physical locations, and it is not necessary to list each one. Rather, list exceptional cases that are specifically in or out of scope.

IT Systems Scope and Boundaries

• There may be hundreds of applications that are run and maintained in your organization. Some of these may be legacy applications. Do you need to secure all your programs or only a select few?
• Is the system owned or outsourced?
• Where are you accountable for security?
• How sensitive is the data that each system handles?

Organizational Scope and Boundaries

• Will your ISMS cover all departments within your organization? For example, do certain departments (e.g. operations) not need any security coverage?
• Do you have the ability to make security decisions for each department?
• Who are the key stakeholders/data owners for each department?

OT Systems Scope and Boundaries

• There may be hundreds of OT systems that are run and maintained in your organization. Do you need to secure all OT or a select subset?
• Is the system owned or outsourced?
• Where are you accountable for safety and security?
• What reliability requirements does each system handle?

• Record your security-related organizational scope, physical location scope, IT systems scope, and OT systems scope in the Scope tab of the Secure IT/OT Convergence Requirements Gathering Tool.
• For each item scoped, give the rationale for including it in the comments column. Careful attention should be paid to any elements that are not in scope.

1. Customize the "work units" to best reflect your operation with applicable stakeholders.
2. Customize the "action“ rows as required.

The roles and responsibilities should be clearly defined. For example, IT network should be responsible for the communication and configuration of all access points and devices from the remote client to the control system DMZ, and controls engineering should be responsible from the control system DMZ to the control system.

• A lot of OT compliance standards are technically focused and do not address governance and management, e.g. IT standards like the NIST Cybersecurity Framework. For example, OT system modeling with Purdue model will help IT teams to understand assets, networking, and controls. This understanding is needed to know the possible security solutions and where these solutions could be embedded to the OT system with respect to safety, reliability, and availability.
• However, deployment of technical solutions or patches to OT system may nullify warranty, so arrangements should be made to manage this with the vendor or manufacturer prior to modification.
• Finally, OT modernizations such as smart grid together with the advent of IIoT where data flow is becoming less hierarchical have encouraged the birth of a hybrid Purdue model, which maintains segmentation with flexibility for communications.

Level 5: Enterprise Network

Level 4: Site Business

Level 3.5: DMZ
Example: Patch Management Server, Application Server, Remote Access Server

Level 3: Site Operations
Example: SCADA Server, Engineering Workstation, Historian

Level 2: Area Supervisory Control
Example: SCADA Client, HMI

Level 1: Basic Control
Example: Batch Controls, Discrete Controls, Continuous Process Controls, Safety Controls, e.g. PLCs, RTUs

Level 0: Process
Example: Sensors, Actuators, Field Devices

Source:
ENISA, 2013
DHS, 2009.

• OT system has compliance obligations with industry regulations and security standards/regulations/guidelines. See the lists given. The lists are not exhaustive.
• OT system owner can use the standards/regulations/guidelines as a benchmark to determine and manage the security level provided by third parties.
• It is important to understand the various frameworks and to adhere to the appropriate compliance obligations, e.g. IEC/ISA 62443 - Security for Industrial Automation and Control Systems Series.

• IEC/ISA 62443 is a comprehensive international series of standards covering security for ICS systems, which recognizes three roles, namely: asset owner, system integrator, and product manufacturer.
• In IEC/ISA 62443, requirements flow from the asset owner to the product manufacturer, while solutions flow in the opposite direction.
• For the asset owner who owns and operates a system, IEC 62443-2 enables defining target security level with reference to a threat level and using the standard as a benchmark to determine the current security level.
• For the system integrator, IEC 62443-3 assists to evaluate the asset owner’s requirements to create a system design. IEC 62443-3 also provides a method for verification that components provided by the product manufacturer are securely developed and support the functionality required.

1. Identify your compliance obligations. Most organizations have compliance obligations that must be adhered to. These can include both mandatory and voluntary obligations. Mandatory obligations include:
   1. Laws
   2. Government regulations
   3. Industry standards
   4. Contractual agreements
   Voluntary obligations include standards that the organization has chosen to follow for best practices and any obligations that are required to maintain certifications. Organizations will have many different compliance obligations. For the purposes of your secure IT/OT convergence, include only those that have OT security requirements.
2. Record your compliance obligations, along with any notes, in your copy of the Secure IT/OT Convergence Requirements Gathering Tool.
3. Refer to the “Compliance DB” tab for lists of standards/regulations/guidelines.