Get Instant Access
to This Blueprint

Security icon

Secure IT/OT Convergence

Create a holistic IT/OT security culture.

IT and OT are both very different complex systems. However, significant benefits have driven OT to be converged to IT. This results in IT security leaders, OT leaders and their teams' facing challenges in:

  • Governing and managing IT and OT security and accountabilities.
  • Converging security architecture and controls between IT and OT environments.
  • Compliance with regulations and standards.
  • Metrics for OT security effectiveness and efficiency.

Our Advice

Critical Insight

  • Returning to isolated OT is not beneficial for the organization, therefore IT and OT need to learn to collaborate starting with communication to build trust and to overcome differences between IT and OT. Next, negotiation is needed on components such as governance and management, security controls on OT environments, compliance with regulations and standards, and metrics for OT security.
  • Most OT incidents start with attacks against IT networks and then move laterally into the OT environment. Therefore, converging IT and OT security will help protect the entire organization.
  • OT interfaces with the physical world while IT system concerns more on cyber world. Thus, the two systems have different properties. The challenge is how to create strategic collaboration between IT-OT based on negotiation and this needs top-down support.

Impact and Result

Info-Tech’s approach in preparing for IT/OT convergence in the planning phase is coordination and collaboration of IT and OT to

  • initiate communication to define roles and responsibilities.
  • establish governance and build cross-functional team.
  • identify convergence components and compliance obligations.
  • assess readiness.


Secure IT/OT Convergence Research & Tools

1. Secure IT/OT Convergence Storyboard – A step-by-step document that walks you through how to secure IT-OT convergence.

Info-Tech provides a three-phase framework of secure IT/OT convergence, namely Plan, Enhance, and Monitor & Optimize. The essential steps in Plan are to:

  • Initiate communication to define roles and responsibilities.
  • Establish governance and build a cross-functional team.
  • Identify convergence components and compliance obligations.
  • Assess readiness.

2. Secure IT/OT Convergence Requirements Gathering Tool – A tool to map organizational goals to secure IT-OT goals.

This tool serves as a repository for information about the organization, compliance, and other factors that will influence your IT/OT convergence.

3. Secure IT/OT Convergence RACI Chart Tool – A tool to identify and understand the owners of various IT/OT convergence across the organization.

A critical step in secure IT/OT convergence is populating a RACI (Responsible, Accountable, Consulted, and Informed) chart. The chart assists you in organizing roles for carrying out convergence steps and ensures that there are definite roles that different individuals in the organization must have. Complete this tool to assign tasks to suitable roles.


Secure IT/OT Convergence

Create a holistic IT/OT security culture.

Analyst Perspective

Are you ready for secure IT/OT convergence?

IT/OT convergence is less of a convergence and more of a migration. The previously entirely separate OT ecosystem is migrating into the IT ecosystem, primarily to improve access via connectivity and to leverage other standard IT capabilities for economic benefit.

In the past, OT systems were engineered to be air gapped, relying on physical protection and with little or no security in design, (e.g. OT protocols without confidentiality properties). However, now, OT has become dependent on the IT capabilities of the organization, thus OT inherits IT’s security issues, that is, OT is becoming more vulnerable to attack from outside the system. IT/OT convergence is complex because the culture, policies, and rules of IT are quite foreign to OT processes such as change management, and the culture, policies, and rules of OT are likewise foreign to IT processes.

A secure IT/OT convergence can be conceived of as a negotiation of a strong treaty between two systems: IT and OT. The essential initial step is to begin with communication between IT and OT, followed by necessary components such as governing and managing OT security priorities and accountabilities, converging security controls between IT and OT environments, assuring compliance with regulations and standards, and establishing metrics for OT security.

Photo of Ida Siahaan, Research Director, Security and Privacy Practice, Info-Tech Research Group. Ida Siahaan
Research Director, Security and Privacy Practice
Info-Tech Research Group

Executive Summary

Your Challenge

IT and OT are both very different complex systems. However, significant benefits have driven OT to converge with IT. This results in IT security leaders, OT leaders, and their teams facing challenges with:

  • Governing and managing IT and OT security and accountabilities.
  • Converging security architecture and controls between IT and OT environments.
  • Compliance with regulations and standards.
  • Metrics for OT security effectiveness and efficiency.
Common Obstacles
  • IT/OT network segmentation and remote access issues, as most OT incidents indicate that the attackers gained access through the IT network, followed by infiltration into OT networks.
  • OT proprietary devices and unsecure protocols use outdated systems which may be insecure by design.
  • Different requirements of OT and IT security – i.e. IT (confidentiality, integrity, and availability) vs. OT (safety, reliability, and availability).
Info-Tech’s Approach

Info-Tech’s approach in preparing for IT/OT convergence (i.e. the Plan phase) is coordination and collaboration of IT and OT to:

  • Initiate communication to define roles and responsibilities.
  • Establish governance and build a cross-functional team.
  • Identify convergence components and compliance obligations.
  • Assess readiness.

Info-Tech Insight

Returning to isolated OT is not beneficial for the organization, so IT and OT need to learn to collaborate, starting with communication to build trust and to overcome their differences. Next, negotiation is needed on components such as governance and management, security controls on OT environments, compliance with regulations and standards, and establishing metrics for OT security.

Consequences of unsecure IT/OT convergence

OT systems were built with no or little security design

90% of organizations that use OT experienced a security incident. (Fortinet, 2021. Ponemon, 2019.)

Bar graph comparing three years, 2019-2021, of four different OT security incidents: 'Ransomeware', 'Insider breaches', 'Phishing', and 'Malware'.
(Source: Fortinet, 2021.)
Lack of visibility

86% of OT security-related service engagements lack complete visibility of OT network in 2021 (90% in 2020, 81% in 2019). (Source: “Cybersecurity Year In Review” Dragos, 2022.)

The need for secure IT/OT convergence

Important Industrial Control System (ICS) cyber incidents

2000
Target: Australian sewage plant. Method: Insider attack. Impact: 265,000 gallons of untreated sewage released.
2012
Target: Middle East energy companies. Method: Shamoon. Impact: Overwritten Windows-based systems files.
2014
Target: German Steel Mill. Method: Spear-phishing. Impact: Blast furnace failed to shut down.
2017
Target: Middle East safety instrumented system (SIS). Method: TRISIS/TRITON. Impact: Modified SIS ladder logic.
2022
Target: Viasat’s KA-SAT network. Method: AcidRain. Impact: Significant loss of communication for the Ukrainian military, which relied on Viasat’s services.
Timeline of Important Industrial Control System (ICS) cyber incidents.
1903
Target: Marconi wireless telegraph presentation. Method: Morse code. Impact: Fake message sent “Rats, rats, rats, rats. There was a young fellow of Italy, Who diddled the public quite prettily.”
2010
Target: Iranian uranium enrichment plant. Method: Stuxnet. Impact: Compromised programmable logic controllers (PLCs).
2013
Target: ICS supply chain. Method: Havex. Impact: Remote Access Trojan (RAT) collected information and uploaded data to command-and-control (C&C) servers
2016
Target: Ukrainian power grid. Method: BlackEnergy. Impact: For 1-6 hours, power outages for 230,000 consumers.
2021
Target: Colonial Pipeline. Method: DarkSide ransomware. Impact: Compromised billing infrastructure halted the pipeline operation.

(Source: US Department of Energy, 2018.


”Significant Cyber Incidents,” CSIS, 2022


MIT Technology Review, 2022.)

Info-Tech Insight

Most OT incidents start with attacks against IT networks and then move laterally into the OT environment. Therefore, converging IT and OT security will help protect the entire organization.

Case Study

Horizon Power
Logo for Horizon Power.
INDUSTRY
Utilities
SOURCE
Interview

Horizon Power is the regional power provider in Western Australia and stands out as a leader not only in the innovative delivery of sustainable power, but also in digital transformation. Horizon Power is quite mature in distributed energy resource management; moving away from centralized generation to decentralized, community-led generation, which reflects in its maturity in converging IT and OT.

Horizon Power’s IT/OT convergence journey started over six years ago when advanced metering infrastructure (AMI) was installed across its entire service area – an area covering more than one quarter of the Australian continent.

In these early days of the journey, the focus was on leveraging matured IT approaches such as adoption of cloud services to the OT environment, rather than converging the two. Many years later, Horizon Power has enabled OT data to be more accessible to derive business benefits such as customer usage data using data analytics with the objective of improving the collection and management of the OT data to improve business performance and decision making.

The IT/OT convergence meets legislation such as the Australian Energy Sector Cyber Security Framework (AESCSF), which has impacts on the architectural layer of cybersecurity that support delivery of the site services.

Results

The lessons learned in converging IT and OT from Horizon Power were:

  • Start with forming relationships to build trust and overcome any divide between IT and OT.
  • Collaborate with IT and OT teams to successfully implement solutions, such as vulnerability management and discovery tools for OT assets.
  • Switch the focus from confidentiality and integrity to availability in solutions evaluation
  • Develop training and awareness programs for all levels of the organization.
  • Actively encourage visible sponsorship across management by providing regular updates and consistent messaging.
  • Monitor cybersecurity metrics such as vulnerabilities, mean time to treat vulnerabilities, and intrusion attempts.
  • Manage third-party vendors using a platform which not only performs external monitoring but provides third-party vendors with visibility or potential threats in their organization.

The Secure IT/OT Convergence Framework

IT/OT convergence is less of a convergence and more of a migration. The previously entirely separate OT ecosystem is migrating onto the IT ecosystem, to improve access via the internet and to leverage other standard IT capabilities. However, IT and OT are historically very different, and without careful calculation, simply connecting the two systems will result in a problem. Therefore, IT and OT need to learn to live together starting with communication to build trust and to overcome differences between IT and OT.
Convergence Elements
  • Process convergence
  • Software and data convergence
  • Network and infrastructure convergence
Target Groups
  • OT leader and teams
  • IT leader and teams
  • Security leader and teams
Security Components
  • Governance and compliance
  • Security strategy
  • Risk management
  • Security policies
  • IR, DR, BCP
  • Security awareness and training
  • Security architecture and controls

Plan

  • Initiate communication
  • Define roles and responsibilities
  • Establish governance and build a cross-functional team
  • Identify convergence elements and compliance obligations
  • Assess readiness

Governance

Compliance

Enhance

  • Update security strategy for IT/OT convergence
  • Update risk-management framework for IT/OT convergence
  • Update security policies and procedures for IT/OT convergence
  • Update incident response, disaster recovery, and business continuity plan for IT/OT convergence

Security strategy

Risk management

Security policies and procedures

IR, DR, and BCP

Monitor &
Optimize

  • Implement awareness, induction, and cross-training program
  • Design and deploy converging security architecture and controls
  • Establish and monitor IT/OT security metrics on effectiveness and efficiency
  • Red-team followed by blue-team activity for cross-functional team building

Awareness and cross-training

Architecture and controls

Phases
Color-coded phases with arrows looping back up from the bottom to top phase.
  • Plan
  • Enhance
  • Monitor & Optimize
Plan Outcomes
  • Mapping business goals to IT/OT security goals
  • RACI chart for priorities and accountabilities
  • Compliance obligations register
  • Readiness checklist
Enhance Outcomes
  • Security strategy for IT/OT convergence
  • Risk management framework
  • Security policies & procedures
  • IR, DR, BCP
Monitor & Optimize Outcomes
  • Security awareness and training
  • Security architecture and controls
Plan Benefits
  • Improved flexibility and less divided IT/OT
  • Improved compliance
Enhance Benefits
  • Increased strategic common goals
  • Increased efficiency and versatility
Monitor & Optimize Benefits
  • Enhanced security
  • Reduced costs

Plan

Initiate communication

To initiate communication between the IT and OT teams, it is important to understand how the two groups are different and to build trust to find a holistic approach which overcomes those differences.
IT OT
Remote Access Well-defined access control Usually single-level access control
Interfaces Human Machine, equipment
Software ERP, CRM, HRIS, payroll SCADA, DCS
Hardware Servers, switches, PCs PLC, HMI, sensors, motors
Networks Ethernet Fieldbus
Focus Reporting, communication Up-time, precision, safety
Change management Frequent updates and patches Infrequent updates and patches
Security Confidentiality, integrity, availability Safety, reliability, availability
Time requirement Normally not time critical Real time

Info-Tech Insight

OT interfaces with the physical world while IT system concerns more on cyber world. Thus, the two systems have different properties. The challenge is how to create strategic collaboration between IT and OT based on negotiation, and this needs top-down support.

Identifying organization goals is the first step in aligning your secure IT/OT convergence with your organization’s vision.

  • Security leaders need to understand the direction the organization is headed in.
  • Wise security investments depend on aligning your security initiatives to the organization.
  • Secure IT/OT convergence should contribute to your organization’s objectives by supporting operational performance and ensuring brand protection and shareholder value.

Map organizational goals to IT/OT security goals

Input: Corporate, IT, and OT strategies

Output: Your goals for the security strategy

Materials: Secure IT/OT Convergence Requirements Gathering Tool

Participants: Executive leadership, OT leader, IT leader, Security leader, Compliance, Legal, Risk management

  1. As a group, brainstorm organization goals.
    1. Review relevant corporate, IT, and OT strategies.
  2. Record the most important business goals in the Secure IT/OT Convergence Requirements Gathering Tool. Try to limit the number of business goals to no more than 10 goals. This limitation will be critical to helping focus on your secure IT/OT convergence.
  3. For each goal, identify one to two security alignment goals. These should be objectives for the security strategy that will support the identified organization goals.

Download the Secure IT/OT Convergence Requirements Gathering Tool

Record organizational goals

Sample of the definitions table with columns numbered 1-4.

Refer to the Secure IT/OT Convergence Framework when filling in the following elements.

  1. Record your identified organization goals in the Goals Cascade tab of the Secure IT/OT Convergence Requirements Gathering Tool.
  2. For each of your organizational goals, identify IT alignment goals.
  3. For each of your organizational goals, identify OT alignment goals.
  4. For each of your organizational goals, select one to two IT/OT security alignment goals from the drop-down lists.

Establish scope and boundaries

It is important to know at the outset of the strategy: What are we trying to secure in IT/OT convergence ?
This includes physical areas we are responsible for, types of data we care about, and departments or IT/OT systems we are responsible for.

This also includes what is not in scope. For some outsourced services or locations, you may not be responsible for their security. In some business departments, you may not have control of security processes. Ensure that it is made explicit at the outset what will be included and what will be excluded from security considerations.

Physical Scope and Boundaries

  • How many offices and locations does your organization have?
  • Which locations/offices will be covered by your information security management system (ISMS)?
  • How sensitive is the data residing at each location?
  • You may have many physical locations, and it is not necessary to list each one. Rather, list exceptional cases that are specifically in or out of scope.

IT Systems Scope and Boundaries

  • There may be hundreds of applications that are run and maintained in your organization. Some of these may be legacy applications. Do you need to secure all your programs or only a select few?
  • Is the system owned or outsourced?
  • Where are you accountable for security?
  • How sensitive is the data that each system handles?

Organizational Scope and Boundaries

  • Will your ISMS cover all departments within your organization? For example, do certain departments (e.g. operations) not need any security coverage?
  • Do you have the ability to make security decisions for each department?
  • Who are the key stakeholders/data owners for each department?

OT Systems Scope and Boundaries

  • There may be hundreds of OT systems that are run and maintained in your organization. Do you need to secure all OT or a select subset?
  • Is the system owned or outsourced?
  • Where are you accountable for safety and security?
  • What reliability requirements does each system handle?

Record scope and boundaries

Sample Scope and Boundaries table. Refer to the Secure IT/OT Convergence Framework when filling in the following elements:
  • Record your security-related organizational scope, physical location scope, IT systems scope, and OT systems scope in the Scope tab of the Secure IT/OT Convergence Requirements Gathering Tool.
  • For each item scoped, give the rationale for including it in the comments column. Careful attention should be paid to any elements that are not in scope.

Plan

Define roles and responsibilities

Input: List of relevant stakeholders

Output: Roles and responsibilities for the secure IT/OT convergence program

Materials: Secure IT/OT Convergence RACI Chart Tool

Participants: Executive leadership, OT leader, IT leader, Security leader

There are many factors that impact an organization’s level of effectiveness as it relates to IT/OT convergence. How the two groups interact, what skill sets exist, the level of clarity around roles and responsibilities, and the degree of executive support and alignment are only a few. Thus, it is imperative in the planning phase to identify stakeholders who are:

  • Responsible: The people who do the work to accomplish the activity; they have been tasked with completing the activity and/or getting a decision made.
  • Accountable: The person who is accountable for the completion of the activity. Ideally, this is a single person and will often be an executive or program sponsor.
  • Consulted: The people who provide information. This is usually several people, typically called subject matter experts (SMEs).
  • Informed: The people who are updated on progress. These are resources that are affected by the outcome of the activities and need to be kept up to date.

Download the Secure IT/OT Convergence RACI Chart Tool

Define RACI Chart

Sample RACI chart with only the 'Plan' section enlarged.

Define responsible, accountable, consulted, and informed (RACI) stakeholders.
  1. Customize the "work units" to best reflect your operation with applicable stakeholders.
  2. Customize the "action“ rows as required.
Info-Tech Insight

The roles and responsibilities should be clearly defined. For example, IT network should be responsible for the communication and configuration of all access points and devices from the remote client to the control system DMZ, and controls engineering should be responsible from the control system DMZ to the control system.

Plan

Establish governance and build cross-functional team

To establish governance and build an IT/OT cross-functional team, it is important to understand the operation of OT systems and their interactions with IT within the organization, e.g. ad hoc, centralized, decentralized.

The maturity ladder with levels 'Fully Converged', 'Collaborative Partners', 'Trusted Resources', 'Affiliated Entities', and 'Siloed' at the bottom. Each level has four maturity indicators listed.

Info-Tech Insight

To determine IT/OT convergence maturity level, Info-Tech provides the IT/OT Convergence Self-Evaluation Tool.

Centralized security governance model example

Example of a centralized security governance model.

Plan

Identify convergence elements and compliance obligations

To switch the focus from confidentiality and integrity to safety and availability for OT system, it is important to have a common language such as the Purdue model for technical communication.
  • A lot of OT compliance standards are technically focused and do not address governance and management, e.g. IT standards like the NIST Cybersecurity Framework. For example, OT system modeling with Purdue model will help IT teams to understand assets, networking, and controls. This understanding is needed to know the possible security solutions and where these solutions could be embedded to the OT system with respect to safety, reliability, and availability.
  • However, deployment of technical solutions or patches to OT system may nullify warranty, so arrangements should be made to manage this with the vendor or manufacturer prior to modification.
  • Finally, OT modernizations such as smart grid together with the advent of IIoT where data flow is becoming less hierarchical have encouraged the birth of a hybrid Purdue model, which maintains segmentation with flexibility for communications.

Level 5: Enterprise Network

Level 4: Site Business

Level 3.5: DMZ
Example: Patch Management Server, Application Server, Remote Access Server

Level 3: Site Operations
Example: SCADA Server, Engineering Workstation, Historian

Level 2: Area Supervisory Control
Example: SCADA Client, HMI

Level 1: Basic Control
Example: Batch Controls, Discrete Controls, Continuous Process Controls, Safety Controls, e.g. PLCs, RTUs

Level 0: Process
Example: Sensors, Actuators, Field Devices

(Source: “Purdue Enterprise Reference Architecture (PERA) Model,” ISA-99.)

Identify compliance obligations

To manage compliance obligations, it is important to use a platform which not only performs internal and external monitoring, but also provides third-party vendors with visibility on potential threats in their organization.
Example table of compliance obligations standards. Example tables of compliance obligations regulations and guidelines.

Source:
ENISA, 2013
DHS, 2009.

  • OT system has compliance obligations with industry regulations and security standards/regulations/guidelines. See the lists given. The lists are not exhaustive.
  • OT system owner can use the standards/regulations/guidelines as a benchmark to determine and manage the security level provided by third parties.
  • It is important to understand the various frameworks and to adhere to the appropriate compliance obligations, e.g. IEC/ISA 62443 - Security for Industrial Automation and Control Systems Series.

IEC/ISA 62443 - Security for Industrial Automation and Control Systems Series

International series of standards for asset owners, system integrators, and product manufacturers.
Diagram of the international series of standards for asset owners.
(Source: Cooksley, 2021)
  • IEC/ISA 62443 is a comprehensive international series of standards covering security for ICS systems, which recognizes three roles, namely: asset owner, system integrator, and product manufacturer.
  • In IEC/ISA 62443, requirements flow from the asset owner to the product manufacturer, while solutions flow in the opposite direction.
  • For the asset owner who owns and operates a system, IEC 62443-2 enables defining target security level with reference to a threat level and using the standard as a benchmark to determine the current security level.
  • For the system integrator, IEC 62443-3 assists to evaluate the asset owner’s requirements to create a system design. IEC 62443-3 also provides a method for verification that components provided by the product manufacturer are securely developed and support the functionality required.

Record your compliance obligations

Refer to the “Goals Cascade” tab of the Secure IT/OT Convergence Requirements Gathering Tool.
  1. Identify your compliance obligations. Most organizations have compliance obligations that must be adhered to. These can include both mandatory and voluntary obligations. Mandatory obligations include:
    1. Laws
    2. Government regulations
    3. Industry standards
    4. Contractual agreements
    Voluntary obligations include standards that the organization has chosen to follow for best practices and any obligations that are required to maintain certifications. Organizations will have many different compliance obligations. For the purposes of your secure IT/OT convergence, include only those that have OT security requirements.
  2. Record your compliance obligations, along with any notes, in your copy of the Secure IT/OT Convergence Requirements Gathering Tool.
  3. Refer to the “Compliance DB” tab for lists of standards/regulations/guidelines.
Table of mandatory and voluntary security compliance obligations.

Plan

Assess readiness

Readiness checklist for secure IT/OT convergence

People

  • Define roles and responsibilities on interaction based on skill sets and the degree of support and alignment.
  • Adopt well-established security governance practices for cross-functional teams.
  • Analyze and develop skills required by implementing awareness, induction, and cross-training program.

Process

  • Conduct a maturity assessment of key processes and highlight interdependencies.
  • Redesign cybersecurity processes for your secure IT/OT convergence program.
  • Develop a baseline and periodically review on risks, security policies and procedures, incident response, disaster recovery, and business continuity plan.

Technology

  • Conduct a maturity assessment and identify convergence elements and compliance obligations.
  • Develop a roadmap and deploy converging security architecture and controls step by step, working with trusted technology partners.
  • Monitor security metrics on effectiveness and efficiency and conduct continuous testing by red-team and blue-team activities.

(Source: “Grid Modernization: Optimize Opportunities And Minimize Risks,” Info-Tech)

Enhance

Update security strategy

To update security strategy, it is important to actively encourage visible sponsorship across management and to provide regular updates.

Cycle for updating security strategy: 'Architecture design', 'Procurement', 'Installation', 'Maintenance', 'Decommissioning'.
(Source: NIST SP 800-82 Rev.3, “Guide to Operational Technology (OT) Security,” NIST, 2022.)
  • OT system life cycle is like the IT system life cycle, starting with architectural design and ending with decommissioning.
  • Currently, IT only gets involved from installation or maintenance, so they may not fully understand the OT system. Therefore, if OT security is compromised, the same personnel who commissioned the OT system (e.g. engineering, electrical, and maintenance specialists) must be involved. Thus, it is important to have the IT team collaborate with the OT team in each stage of the OT system’s life cycle.
  • Finally, it is necessary to have propositional sharing of responsibilities between IT leaders, security leaders, and OT leaders who have broader responsibilities.

Enhance

Update risk management framework

The need for asset and threat taxonomy

  • One of issues in IT/OT convergence is that OT systems focus on production, so IT solutions like security patching or updates may deteriorate a machine or take a machine offline and may not be applicable. For example, some facilities run with reliability of 99.999%, which only allows maximum of 5 minutes and 35 seconds or less of downtime per year.
  • Managing risks requires an understanding of the assets and threats for IT/OT systems. Having a taxonomy of the assets and the threats cand help.
  • Applying normal IT solutions to mitigate security risks may not be applicable in an OT environment, e.g. running an antivirus tool on OT system may remove essential OT operations files. Thus, this approach must be avoided; instead, systems must be rebuilt from golden images.
Risk management framework.
(Source: ENISA, 2018.)

Enhance

Update security policies and procedures

  • Policy is the link between people, process, and technology for any size of organization. Small organizations may think that having formal policies in place is not necessary for their operations, but compliance is applicable to all organizations, and vulnerabilities affect organizations of all sizes as well. Small organizations partnering with clients or other organizations are sometimes viewed as ideal proxies for attackers.
  • Updating security policies to align with the OT system so that there is a uniform approach to securing both IT and OT environments has several benefits. For example, enhancing the overall security posture as issues are pre-emptively avoided, being better prepared for auditing and compliance requirements, and improving governance especially when OT governance is weak.
  • In updating security policies, it is important to redefine the policy framework to include the OT framework and to prioritize the development of security policies. For example, entities that own or manage US and Canadian electric power grids must comply with North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) standards, specifically CIP-003 for Policy and Governance. This can be achieved by understanding the current state of policies and by right-sizing the policy suite based on a policy hierarchy.
The White House released an Executive Order on Improving the Nation’s Cybersecurity (EO 14028) in 2021 that establishes new requirements on the scope of protection and security policy such that it must include both IT and OT.

Policy hierarchy example

This example of a policy hierarchy features templates from Info-Tech’s Develop and Deploy Security Policies and Identify the Best Framework for Your Security Policies research.

Example policy hierarchy with four levels, from top-down: 'Governance', 'Process-based policies', 'Prescriptive/ technical (for IT including OT elements)', 'Prescriptive/ technical (for users)'.

Enhance

Update IR, DR, and BCP

A proactive approach to security is important, so actions such as updating and testing the incident response plan for OT are a must. (“Cybersecurity Year In Review” Dragos, 2022.)

  1. Customize organizational chart for IT/OT IR, DR, BCP based on governance and management model.
    E.g. ad hoc, internal distributed, internal centralized, combined distributed, and decentralized. (Software Engineering Institute, 2003)
  2. Adjust the authority of the new organizational chart and decide if it requires additional staffing.
    E.g. full authority, shared authority. (Software Engineering Institute, 2003)
  3. Update IR plan, DR plan, and BCP for IT/OT convergence.
    E.g. incorporate zero trust principles for converge network
  4. Testing updated IR plan, DR plan, and BCP.

Optimize

Implement awareness, induction, and cross-training

To develop training and awareness programs for all levels of the organization, it is important to understand the common challenges in IT security that also affect secure IT/OT convergence and how to overcome those challenges.

Alert Fatigue

Too many false alarms, too many events to process, and an evolving threat landscape that wastes analysts’ valuable time on mundane tasks such as evidence collection. Meanwhile, only limited time is given for decision and conclusion, which results in fear of missing an incident and alert fatigue.

Skill Shortages

Obtaining and retaining cybersecurity-skilled talent is challenging. Organizations need to invest in the people, but not all organizations will be able to invest sufficiently to have their own dedicated security team.

Lack of Insight

To report progress, clear metrics are needed. However, cybersecurity still falls short in this area, as the system itself is complex, and much work is siloed. Furthermore, lessons learned are not yet distilled into insights yet for improving future accuracy.

Lack of Visibility

Ensuring complete visibility of the threat landscape, risks, and assets requires system integration and consistent workflow across the organization, and the convergence of OT, IoT, and IT enhances this challenge (e.g. machines cannot be scanned during operational uptime).
(Source: Security Intelligence, 2020.)
“Cybersecurity staff are feeling burnout and stressed to the extent that many are considering leaving their jobs.” (Danny Palmer, ZDNET News, 2022)

Awareness may not correspond to readiness

  • An issue with IT/OT convergence training and awareness happens when awareness exists, but the personnel are trained only for IT security and are not trained for OT-specific security. For example, some organizations still use generic topics such as not opening email attachments, when the personnel do not even operate using email nor in a web browsing environment. (“Assessing Operational Readiness,” Dragos, 2022)
  • Meanwhile, as is the case with IT, OT security training topics are broad, such as OT threat intelligence, OT-specific incident response, and tabletop exercises.
  • Hence, it requires the creation of a training program development plan that considers the various audiences and topics and maps them accordingly.
  • Moreover, roles are also evolving due to convergence and modernization. These new roles require an integrative skill set. For example, the grid security & ops team might consist of an IT security specialist, SCADA technician/engineer, and OT/IIOT security specialist where OT/IIOT security specialist is a new role. (Grid Modernization: Optimize Opportunities and Minimize Risks,” Info-Tech)
  • In conclusion, it is important to approach talent development with an open mind. The ability to learn and flexibility in the face of change are important attributes, and technical skill sets can be improved with certifications and training.
“One area regularly observed by Dragos is a weakness in overall cyber readiness and training tailored specific to the OT environment.” (“Assessing Operational Technology,” Dragos, 2022.)

Certifications

What are the options?
  • One of issues in certification is the complexity on relevancy in topics with respect to roles and levels.
  • An example solution is the European Union Agency for Cybersecurity (ENISA)’s approach to analyzing existing certifications by orientation, scope, and supporting bodies, grouped into specific certifications, relevant certifications, and safety certifications.

Specific cybersecurity certification of ICS/SCADA
Example: ISA-99/IEC 62443 Cybersecurity Certificate Program, GIAC Global Industrial Cyber Security Professional (GICSP), Certified SCADA Security Architect (CSSA), EC-Council ICS/SCADA Cybersecurity Training Course.

Other relevant certification schemes
Example: Network and Information Security (NIS) Driving License, ISA Certified Automation Professional (CAP), Industrial Security Professional Certification (NCMS-ISP).

Safety Certifications
Example: Board of Certified Safety Professionals (BCSP), European Network of Safety and Health Professional Organisations (ENSHPO).

Order of certifications with 'Orientation' at the top, 'Scope', then 'Support'.(Source: ENISA, 2015.)

Optimize

Design and deploy converging security architecture and controls

  • IT/OT convergence architecture can be modeled as a layered structure based on security. In this structure, the bottom layer is referred as “OT High-Security Zone” and the topmost layer is “IT Low-Security Zone.” In this model, each layer has its own set of controls configured and acts like an additional layer of security for the zone underneath it.
  • The data flows from the “OT High-Security Zone” to the topmost layer, the “IT Low-Security Zone,” and the traffic must be verified to pass to another zone based on the need-to-know principle.
  • In the normal control flow within the “OT High-Security Zone” from level 3 to level 0, the traffic must be verified to pass to another level based on the principle of least privilege.
  • Remote access (dotted arrow) is allowed under strict access control and change control based on the zero-trust principle with clear segmentation and a point for disconnection between the “OT High-Security Zone” and the “OT Low-Security Zone”
  • This model simplifies the security process, as if the lower layers have been compromised, then the compromise can be confined on that layer, and it also prevents lateral movement as access is always verified.
Diagram for the deployments of converging security architecture.(Source: “Purdue Enterprise Reference Architecture (PERA) model,” ISA-99.)

Off-the-shelf solutions

Getting the right recipe: What criteria to consider?

Image of a shopping cart with the four headlines on the right listed in order from top to bottom.
Icon of an eye crossed out. Visibility and Asset Management

Passive data monitoring using various protocol layers, active queries to devices, or parsing configuration files of OT, IoT, and IT environments on assets, processes, and connectivity paths.

Icon of gears. Threat Detection, Mitigation, and Response (+ Hunting)

Automation of threat analysis (signature-based, specification-based, anomaly-based, sandboxing) not only in IT but also in relevant environments, e.g. IoT, IIoT, and OT on assets, data, network, and orchestration with threat intelligence sharing and analytics.

Icon of a check and pen. Risk Assessment and Vulnerability Management

Risk scoring approach (qualitative, quantitative) based on variables such as behavioral patterns and geolocation. Patching and vulnerability management.

Icon of a wallet. Usability, Architecture, Cost

The user and administrative experience, multiple deployment options and extensive integration capabilities, and affordability.

Optimize

Establish and monitor IT/OT security metrics for effectiveness and efficiency

Role of security metrics in a cybersecurity program (EPRI, 2017.)
  • Requirements for secure IT/OT are derived from mandatory or voluntary compliance, e.g. NERC CIP, NIST SP 800-53.
  • Frameworks for secure IT/OT are used to build and implement security, e.g. NIST CSF, AESCSF.
  • Maturity of secure IT/OT is used to measure the state of security, e.g. C2M2, CMMC.
  • Security metrics have the role of measuring effectiveness and efficiency.

Icon of a person ascending stairs.
Safety

OT interfaces with the physical world. Thus, metrics based on risks related with life, health, and safety are crucial. These metrics motivate personnel by making clear why they should care about security. (EPRI, 2017.)

Icon of a person ascending stairs.
Business Performance

The impact of security on the business can be measured in various metrics such as operational metrics, service level agreements (SLAs), and financial metrics. (BMC, 2022.)

Icon of a person ascending stairs.
Technology Performance

Early detection will lead to faster remediation and less damage. Therefore, metrics such as maximum tolerable downtime (MTD) and mean time to recovery (MTR) indicate system reliability. (Dark Reading, 2022)

Icon of a person ascending stairs.
Security Culture

The metrics for the overall quality of security culture with indicators such as compliance and audit, vulnerability management, and training and awareness.

Further information

Related Info-Tech Research

Sample of 'Build an Information Security Strategy'.

Build an Information Security Strategy

Info-Tech has developed a highly effective approach to building an information security strategy – an approach that has been successfully tested and refined for over seven years with hundreds of organizations.

This unique approach includes tools for ensuring alignment with business objectives, assessing organizational risk and stakeholder expectations, enabling a comprehensive current-state assessment, prioritizing initiatives, and building a security roadmap.

Sample of 'Preparing for Technology Convergence in Manufacturing'.

Preparing for Technology Convergence in Manufacturing

Information technology (IT) and operational technology (OT) teams have a long history of misalignment and poor communication.

Stakeholder expectations and technology convergence create the need to leave the past behind and build a culture of collaboration.

Sample of 'Implement a Security Governance and Management Program'.

Implement a Security Governance and Management Program

Your security governance and management program needs to be aligned with business goals to be effective.

This approach also helps provide a starting point to develop a realistic governance and management program.

This project will guide you through the process of implementing and monitoring a security governance and management program that prioritizes security while keeping costs to a minimum.

Bibliography

Assante, Michael J. and Robert M. Lee. “The Industrial Control System Cyber Kill Chain.” SANS Institute, 2015.

“Certification of Cyber Security Skills of ICS/SCADA Professionals.” European Union Agency for Cybersecurity (ENISA), 2015. Web.

Cooksley, Mark. “The IEC 62443 Series of Standards: A Product Manufacturer‘s Perspective.” YouTube, uploaded by Plainly Explained, 27 Apr. 2021. Accessed 26 Aug. 2022.

“Cyber Security Metrics for the Electric Sector: Volume 3.” Electric Power Research Institute (EPRI), 2017.

“Cybersecurity and Physical Security Convergence.” Cybersecurity and Infrastructure Security Agency (CISA). Accessed 19 May 2022.

“Cybersecurity in Operational Technology: 7 Insights You Need to Know,” Ponemon, 2019. Web.

“Developing an Operational Technology and Information Technology Incident Response Plan.” Public Safety Canada, 2020. Accessed 6 Sep. 2022.

Gilsinn, Jim. “Assessing Operational Technology (OT) Cybersecurity Maturity.” Dragos, 2021. Accessed 02 Sep. 2022.

“Good Practices for Security of Internet of Things.” European Union Agency for Cybersecurity (ENISA), 2018. Web.

Greenfield, David. “Is the Purdue Model Still Relevant?” AutomationWorld. Accessed 1 Sep. 2022

Hemsley, Kevin E., and Dr. Robert E. Fisher. “History of Industrial Control System Cyber Incidents.” US Department of Energy (DOE), 2018. Accessed 29 Aug. 2022.

“ICS Security Related Working Groups, Standards and Initiatives.” European Union Agency for Cybersecurity (ENISA), 2013.

Killcrece, Georgia, et al. “Organizational Models for Computer Security Incident Response Teams (CSIRTs).” Software Engineering Institute, CMU, 2003.

Liebig, Edward. “Security Culture: An OT Survival Story.” Dark Reading, 30 Aug. 2022. Accessed 29 Aug. 2022.

Bibliography

O'Neill, Patrick. “Russia Hacked an American Satellite Company One Hour Before the Ukraine Invasion.” MIT Technology Review, 10 May 2022. Accessed 26 Aug. 2022.

Palmer, Danny. “Your Cybersecurity Staff Are Burned Out – And Many Have Thought About Quitting.” Zdnet, 08 Aug. 2022. Accessed 19 Aug. 2022.

Pathak, Parag. “What Is Threat Management? Common Challenges and Best Practices.” SecurityIntelligence, 23 Jan. 2020. Web.

Raza, Muhammad. “Introduction To IT Metrics & KPIs.” BMC, 5 May 2022. Accessed 12 Sep. 2022.

“Recommended Practice: Developing an Industrial Control Systems Cybersecurity Incident Response Capability.” Department of Homeland Security (DHS), Oct. 2009. Web.

Sharma, Ax. “Sigma Rules Explained: When and How to Use Them to Log Events.” CSO Online, 16 Jun. 2018. Accessed 15 Aug. 2022.

“Significant Cyber Incidents.” Center for Strategic and International Studies (CSIS). Accessed 1 Sep. 2022.

Tom, Steven, et al. “Recommended Practice for Patch Management of Control Systems.” Department of Homeland Security (DHS), 2008. Web.

“2021 ICS/OT Cybersecurity Year In Review.” Dragos, 2022. Accessed 6 Sep. 2022.

“2021 State of Operational Technology and Cybersecurity Report,” Fortinet, 2021. Web.

Zetter, Kim. “Pre-Stuxnet, Post-Stuxnet: Everything Has Changed, Nothing Has Changed.” Black Hat USA, 08 Aug. 2022. Accessed 19 Aug. 2022.

Research Contributors and Experts

Photo of Jeff Campbell, Manager, Technology Shared Services, Horizon Power, AU. Jeff Campbell
Manager, Technology Shared Services
Horizon Power, AU

Jeff Campbell has more than 20 years' experience in information security, having worked in both private and government organizations in education, finance, and utilities sectors.

Having focused on developing and implementing information security programs and controls, Jeff is tasked with enabling Horizon Power to capitalize on IoT opportunities while maintaining the core security basics of confidentiality, integrity and availability.

As Horizon Power leads the energy transition and moves to become a digital utility, Jeff ensures the security architecture that supports these services provides safer and more reliable automation infrastructures.

Christopher Harrington
Chief Technology Officer (CTO)
Carolinas Telco Federal Credit Union

Frank DePaola
Vice President, Chief Information Security Officer (CISO)
Enpro

Kwasi Boakye-Boateng
Cybersecurity Researcher
Canadian Institute for Cybersecurity

About Info-Tech

Info-Tech Research Group is the world’s fastest-growing information technology research and advisory company, proudly serving over 30,000 IT professionals.

We produce unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. We partner closely with IT teams to provide everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.

What Is a Blueprint?

A blueprint is designed to be a roadmap, containing a methodology and the tools and templates you need to solve your IT problems.

Each blueprint can be accompanied by a Guided Implementation that provides you access to our world-class analysts to help you get through the project.

Talk to an Analyst

Our analyst calls are focused on helping our members use the research we produce, and our experts will guide you to successful project completion.

Book an Analyst Call on This Topic

You can start as early as tomorrow morning. Our analysts will explain the process during your first call.

Get Advice From a Subject Matter Expert

Each call will focus on explaining the material and helping you to plan your project, interpret and analyze the results of each project step, and set the direction for your next project step.

Unlock Sample Research

Authors

Ida Siahaan

Robert Dang

Jing Wu

Mike Schembri

William Wong

Contributors

Jeff Campbell, Manager, Technology Shared Services, Horizon Power, AU

Christopher Harrington, Chief Technology Officer (CTO), Carolinas Telco Federal Credit Union

Frank DePaola, Vice President, Chief Information Security Officer (CISO), Enpro

Kwasi Boakye-Boateng, Cybersecurity Researcher, Canadian Institute for Cybersecurity

Visit our IT Cost Optimization Center
Over 100 analysts waiting to take your call right now: 1-519-432-3550 x2019