IT and OT are both very different complex systems. However, significant benefits have driven OT to be converged to IT. This results in IT security leaders, OT leaders and their teams' facing challenges in:
- Governing and managing IT and OT security and accountabilities.
- Converging security architecture and controls between IT and OT environments.
- Compliance with regulations and standards.
- Metrics for OT security effectiveness and efficiency.
Our Advice
Critical Insight
- Returning to isolated OT is not beneficial for the organization, therefore IT and OT need to learn to collaborate starting with communication to build trust and to overcome differences between IT and OT. Next, negotiation is needed on components such as governance and management, security controls on OT environments, compliance with regulations and standards, and metrics for OT security.
- Most OT incidents start with attacks against IT networks and then move laterally into the OT environment. Therefore, converging IT and OT security will help protect the entire organization.
- OT interfaces with the physical world while IT system concerns more on cyber world. Thus, the two systems have different properties. The challenge is how to create strategic collaboration between IT-OT based on negotiation and this needs top-down support.
Impact and Result
Info-Tech’s approach in preparing for IT/OT convergence in the planning phase is coordination and collaboration of IT and OT to
- initiate communication to define roles and responsibilities.
- establish governance and build cross-functional team.
- identify convergence components and compliance obligations.
- assess readiness.
Secure IT/OT Convergence
Create a holistic IT/OT security culture.
Analyst Perspective
Are you ready for secure IT/OT convergence?
IT/OT convergence is less of a convergence and more of a migration. The previously entirely separate OT ecosystem is migrating into the IT ecosystem, primarily to improve access via connectivity and to leverage other standard IT capabilities for economic benefit.
In the past, OT systems were engineered to be air gapped, relying on physical protection and with little or no security in design, (e.g. OT protocols without confidentiality properties). However, now, OT has become dependent on the IT capabilities of the organization, thus OT inherits IT’s security issues, that is, OT is becoming more vulnerable to attack from outside the system. IT/OT convergence is complex because the culture, policies, and rules of IT are quite foreign to OT processes such as change management, and the culture, policies, and rules of OT are likewise foreign to IT processes.
A secure IT/OT convergence can be conceived of as a negotiation of a strong treaty between two systems: IT and OT. The essential initial step is to begin with communication between IT and OT, followed by necessary components such as governing and managing OT security priorities and accountabilities, converging security controls between IT and OT environments, assuring compliance with regulations and standards, and establishing metrics for OT security.
![]() |
Ida Siahaan
Research Director, Security and Privacy Practice Info-Tech Research Group |
Executive Summary
Your Challenge
IT and OT are both very different complex systems. However, significant benefits have driven OT to converge with IT. This results in IT security leaders, OT leaders, and their teams facing challenges with:
|
Common Obstacles
|
Info-Tech’s Approach
Info-Tech’s approach in preparing for IT/OT convergence (i.e. the Plan phase) is coordination and collaboration of IT and OT to:
|
Info-Tech Insight
Returning to isolated OT is not beneficial for the organization, so IT and OT need to learn to collaborate, starting with communication to build trust and to overcome their differences. Next, negotiation is needed on components such as governance and management, security controls on OT environments, compliance with regulations and standards, and establishing metrics for OT security.
Consequences of unsecure IT/OT convergence
OT systems were built with no or little security design
90% of organizations that use OT experienced a security incident. (Fortinet, 2021. Ponemon, 2019.) |
![]() (Source: Fortinet, 2021.) |
Lack of visibility
86% of OT security-related service engagements lack complete visibility of OT network in 2021 (90% in 2020, 81% in 2019). (Source: “Cybersecurity Year In Review” Dragos, 2022.) |
The need for secure IT/OT convergence
Important Industrial Control System (ICS) cyber incidents
2000 Target: Australian sewage plant. Method: Insider attack. Impact: 265,000 gallons of untreated sewage released. |
2012 Target: Middle East energy companies. Method: Shamoon. Impact: Overwritten Windows-based systems files. |
2014 Target: German Steel Mill. Method: Spear-phishing. Impact: Blast furnace failed to shut down. |
2017 Target: Middle East safety instrumented system (SIS). Method: TRISIS/TRITON. Impact: Modified SIS ladder logic. |
2022 Target: Viasat’s KA-SAT network. Method: AcidRain. Impact: Significant loss of communication for the Ukrainian military, which relied on Viasat’s services. |
![]() |
||||
1903 Target: Marconi wireless telegraph presentation. Method: Morse code. Impact: Fake message sent “Rats, rats, rats, rats. There was a young fellow of Italy, Who diddled the public quite prettily.” |
2010 Target: Iranian uranium enrichment plant. Method: Stuxnet. Impact: Compromised programmable logic controllers (PLCs). |
2013 Target: ICS supply chain. Method: Havex. Impact: Remote Access Trojan (RAT) collected information and uploaded data to command-and-control (C&C) servers |
2016 Target: Ukrainian power grid. Method: BlackEnergy. Impact: For 1-6 hours, power outages for 230,000 consumers. |
2021 Target: Colonial Pipeline. Method: DarkSide ransomware. Impact: Compromised billing infrastructure halted the pipeline operation. |
(Source: US Department of Energy, 2018.
”Significant Cyber Incidents,” CSIS, 2022
MIT Technology Review, 2022.)
Info-Tech Insight
Most OT incidents start with attacks against IT networks and then move laterally into the OT environment. Therefore, converging IT and OT security will help protect the entire organization.
Case StudyHorizon Power |
![]() |
INDUSTRY
|
SOURCE
|
Horizon Power is the regional power provider in Western Australia and stands out as a leader not only in the innovative delivery of sustainable power, but also in digital transformation. Horizon Power is quite mature in distributed energy resource management; moving away from centralized generation to decentralized, community-led generation, which reflects in its maturity in converging IT and OT. Horizon Power’s IT/OT convergence journey started over six years ago when advanced metering infrastructure (AMI) was installed across its entire service area – an area covering more than one quarter of the Australian continent. In these early days of the journey, the focus was on leveraging matured IT approaches such as adoption of cloud services to the OT environment, rather than converging the two. Many years later, Horizon Power has enabled OT data to be more accessible to derive business benefits such as customer usage data using data analytics with the objective of improving the collection and management of the OT data to improve business performance and decision making. The IT/OT convergence meets legislation such as the Australian Energy Sector Cyber Security Framework (AESCSF), which has impacts on the architectural layer of cybersecurity that support delivery of the site services. |
Results
The lessons learned in converging IT and OT from Horizon Power were:
|
The Secure IT/OT Convergence Framework
IT/OT convergence is less of a convergence and more of a migration. The previously entirely separate OT ecosystem is migrating onto the IT ecosystem, to improve access via the internet and to leverage other standard IT capabilities. However, IT and OT are historically very different, and without careful calculation, simply connecting the two systems will result in a problem. Therefore, IT and OT need to learn to live together starting with communication to build trust and to overcome differences between IT and OT.Convergence Elements
|
Target Groups
|
Security Components
|
Plan |
|
Governance Compliance |
Enhance |
|
Security strategy Risk management Security policies and procedures IR, DR, and BCP |
Monitor &
|
|
Awareness and cross-training Architecture and controls |
|
Plan Outcomes
|
Plan Benefits
|
Plan
Initiate communication
To initiate communication between the IT and OT teams, it is important to understand how the two groups are different and to build trust to find a holistic approach which overcomes those differences.
| Info-Tech InsightOT interfaces with the physical world while IT system concerns more on cyber world. Thus, the two systems have different properties. The challenge is how to create strategic collaboration between IT and OT based on negotiation, and this needs top-down support. Identifying organization goals is the first step in aligning your secure IT/OT convergence with your organization’s vision.
|
Map organizational goals to IT/OT security goals
Input: Corporate, IT, and OT strategies
Output: Your goals for the security strategy
Materials: Secure IT/OT Convergence Requirements Gathering Tool
Participants: Executive leadership, OT leader, IT leader, Security leader, Compliance, Legal, Risk management
- As a group, brainstorm organization goals.
- Review relevant corporate, IT, and OT strategies.
- Record the most important business goals in the Secure IT/OT Convergence Requirements Gathering Tool. Try to limit the number of business goals to no more than 10 goals. This limitation will be critical to helping focus on your secure IT/OT convergence.
- For each goal, identify one to two security alignment goals. These should be objectives for the security strategy that will support the identified organization goals.
Download the Secure IT/OT Convergence Requirements Gathering Tool
Record organizational goals
Refer to the Secure IT/OT Convergence Framework when filling in the following elements.
- Record your identified organization goals in the Goals Cascade tab of the Secure IT/OT Convergence Requirements Gathering Tool.
- For each of your organizational goals, identify IT alignment goals.
- For each of your organizational goals, identify OT alignment goals.
- For each of your organizational goals, select one to two IT/OT security alignment goals from the drop-down lists.
Establish scope and boundaries
It is important to know at the outset of the strategy: What are we trying to secure in IT/OT convergence ?
This includes physical areas we are responsible for, types of data we care about, and departments or IT/OT systems we are responsible for.
Physical Scope and Boundaries
|
IT Systems Scope and Boundaries
|
Organizational Scope and Boundaries
|
OT Systems Scope and Boundaries
|
Record scope and boundaries
![]() |
Refer to the Secure IT/OT Convergence Framework when filling in the following elements:
|
Plan
Define roles and responsibilities
Input: List of relevant stakeholders
Output: Roles and responsibilities for the secure IT/OT convergence program
Materials: Secure IT/OT Convergence RACI Chart Tool
Participants: Executive leadership, OT leader, IT leader, Security leader
There are many factors that impact an organization’s level of effectiveness as it relates to IT/OT convergence. How the two groups interact, what skill sets exist, the level of clarity around roles and responsibilities, and the degree of executive support and alignment are only a few. Thus, it is imperative in the planning phase to identify stakeholders who are:
- Responsible: The people who do the work to accomplish the activity; they have been tasked with completing the activity and/or getting a decision made.
- Accountable: The person who is accountable for the completion of the activity. Ideally, this is a single person and will often be an executive or program sponsor.
- Consulted: The people who provide information. This is usually several people, typically called subject matter experts (SMEs).
- Informed: The people who are updated on progress. These are resources that are affected by the outcome of the activities and need to be kept up to date.
Download the Secure IT/OT Convergence RACI Chart Tool
Define RACI Chart
Define responsible, accountable, consulted, and informed (RACI) stakeholders.
|
Info-Tech Insight
The roles and responsibilities should be clearly defined. For example, IT network should be responsible for the communication and configuration of all access points and devices from the remote client to the control system DMZ, and controls engineering should be responsible from the control system DMZ to the control system. |
Plan
Establish governance and build cross-functional team
To establish governance and build an IT/OT cross-functional team, it is important to understand the operation of OT systems and their interactions with IT within the organization, e.g. ad hoc, centralized, decentralized.
Info-Tech Insight
To determine IT/OT convergence maturity level, Info-Tech provides the IT/OT Convergence Self-Evaluation Tool.
Centralized security governance model example
Plan
Identify convergence elements and compliance obligations
To switch the focus from confidentiality and integrity to safety and availability for OT system, it is important to have a common language such as the Purdue model for technical communication.
|
Level 5: Enterprise Network Level 4: Site Business Level 3.5: DMZ Level 3: Site Operations Level 2: Area Supervisory Control Level 1: Basic Control Level 0: Process |
Identify compliance obligations
To manage compliance obligations, it is important to use a platform which not only performs internal and external monitoring, but also provides third-party vendors with visibility on potential threats in their organization.![]() |
![]() Source:
|
|
IEC/ISA 62443 - Security for Industrial Automation and Control Systems Series
International series of standards for asset owners, system integrators, and product manufacturers.![]() (Source: Cooksley, 2021) |
|
Record your compliance obligations
Refer to the “Goals Cascade” tab of the Secure IT/OT Convergence Requirements Gathering Tool.
|
![]() |
Plan
Assess readiness
Readiness checklist for secure IT/OT convergence
People
|
Process
|
Technology
|
(Source: “Grid Modernization: Optimize Opportunities And Minimize Risks,” Info-Tech)
Enhance
Update security strategy
To update security strategy, it is important to actively encourage visible sponsorship across management and to provide regular updates.
![]() (Source: NIST SP 800-82 Rev.3, “Guide to Operational Technology (OT) Security,” NIST, 2022.) |
|
Enhance
Update risk management framework
The need for asset and threat taxonomy
|
![]() (Source: ENISA, 2018.) |
Enhance
Update security policies and procedures
|
The White House released an Executive Order on Improving the Nation’s Cybersecurity (EO 14028) in 2021 that establishes new requirements on the scope of protection and security policy such that it must include both IT and OT. |
Policy hierarchy example
This example of a policy hierarchy features templates from Info-Tech’s Develop and Deploy Security Policies and Identify the Best Framework for Your Security Policies research.
Enhance
Update IR, DR, and BCP
A proactive approach to security is important, so actions such as updating and testing the incident response plan for OT are a must. (“Cybersecurity Year In Review” Dragos, 2022.)
- Customize organizational chart for IT/OT IR, DR, BCP based on governance and management model.
E.g. ad hoc, internal distributed, internal centralized, combined distributed, and decentralized. (Software Engineering Institute, 2003) - Adjust the authority of the new organizational chart and decide if it requires additional staffing.
E.g. full authority, shared authority. (Software Engineering Institute, 2003) - Update IR plan, DR plan, and BCP for IT/OT convergence.
E.g. incorporate zero trust principles for converge network - Testing updated IR plan, DR plan, and BCP.
Optimize
Implement awareness, induction, and cross-training
To develop training and awareness programs for all levels of the organization, it is important to understand the common challenges in IT security that also affect secure IT/OT convergence and how to overcome those challenges.
|
“Cybersecurity staff are feeling burnout and stressed to the extent that many are considering leaving their jobs.” (Danny Palmer, ZDNET News, 2022) |
Awareness may not correspond to readiness
|
“One area regularly observed by Dragos is a weakness in overall cyber readiness and training tailored specific to the OT environment.” (“Assessing Operational Technology,” Dragos, 2022.) |
Certifications
What are the options?
Specific cybersecurity certification of ICS/SCADA
Other relevant certification schemes
Safety Certifications
|
![]() |
Optimize
Design and deploy converging security architecture and controls
|
![]() |
Off-the-shelf solutions
Getting the right recipe: What criteria to consider?
![]() |
|
Optimize
Establish and monitor IT/OT security metrics for effectiveness and efficiency
Role of security metrics in a cybersecurity program (EPRI, 2017.)
|
OT interfaces with the physical world. Thus, metrics based on risks related with life, health, and safety are crucial. These metrics motivate personnel by making clear why they should care about security. (EPRI, 2017.)
|
The impact of security on the business can be measured in various metrics such as operational metrics, service level agreements (SLAs), and financial metrics. (BMC, 2022.)
|
Early detection will lead to faster remediation and less damage. Therefore, metrics such as maximum tolerable downtime (MTD) and mean time to recovery (MTR) indicate system reliability. (Dark Reading, 2022)
|
The metrics for the overall quality of security culture with indicators such as compliance and audit, vulnerability management, and training and awareness.
|
Further information
Related Info-Tech Research
![]() Build an Information Security StrategyInfo-Tech has developed a highly effective approach to building an information security strategy – an approach that has been successfully tested and refined for over seven years with hundreds of organizations. This unique approach includes tools for ensuring alignment with business objectives, assessing organizational risk and stakeholder expectations, enabling a comprehensive current-state assessment, prioritizing initiatives, and building a security roadmap. |
![]() Preparing for Technology Convergence in ManufacturingInformation technology (IT) and operational technology (OT) teams have a long history of misalignment and poor communication. Stakeholder expectations and technology convergence create the need to leave the past behind and build a culture of collaboration. |
![]() Implement a Security Governance and Management ProgramYour security governance and management program needs to be aligned with business goals to be effective. This approach also helps provide a starting point to develop a realistic governance and management program. This project will guide you through the process of implementing and monitoring a security governance and management program that prioritizes security while keeping costs to a minimum. |
Bibliography
Assante, Michael J. and Robert M. Lee. “The Industrial Control System Cyber Kill Chain.” SANS Institute, 2015. “Certification of Cyber Security Skills of ICS/SCADA Professionals.” European Union Agency for Cybersecurity (ENISA), 2015. Web. Cooksley, Mark. “The IEC 62443 Series of Standards: A Product Manufacturer‘s Perspective.” YouTube, uploaded by Plainly Explained, 27 Apr. 2021. Accessed 26 Aug. 2022. “Cyber Security Metrics for the Electric Sector: Volume 3.” Electric Power Research Institute (EPRI), 2017. “Cybersecurity and Physical Security Convergence.” Cybersecurity and Infrastructure Security Agency (CISA). Accessed 19 May 2022. “Cybersecurity in Operational Technology: 7 Insights You Need to Know,” Ponemon, 2019. Web. “Developing an Operational Technology and Information Technology Incident Response Plan.” Public Safety Canada, 2020. Accessed 6 Sep. 2022. |
Gilsinn, Jim. “Assessing Operational Technology (OT) Cybersecurity Maturity.” Dragos, 2021. Accessed 02 Sep. 2022. “Good Practices for Security of Internet of Things.” European Union Agency for Cybersecurity (ENISA), 2018. Web. Greenfield, David. “Is the Purdue Model Still Relevant?” AutomationWorld. Accessed 1 Sep. 2022 Hemsley, Kevin E., and Dr. Robert E. Fisher. “History of Industrial Control System Cyber Incidents.” US Department of Energy (DOE), 2018. Accessed 29 Aug. 2022. “ICS Security Related Working Groups, Standards and Initiatives.” European Union Agency for Cybersecurity (ENISA), 2013. Killcrece, Georgia, et al. “Organizational Models for Computer Security Incident Response Teams (CSIRTs).” Software Engineering Institute, CMU, 2003. Liebig, Edward. “Security Culture: An OT Survival Story.” Dark Reading, 30 Aug. 2022. Accessed 29 Aug. 2022. |
Bibliography
O'Neill, Patrick. “Russia Hacked an American Satellite Company One Hour Before the Ukraine Invasion.” MIT Technology Review, 10 May 2022. Accessed 26 Aug. 2022. Palmer, Danny. “Your Cybersecurity Staff Are Burned Out – And Many Have Thought About Quitting.” Zdnet, 08 Aug. 2022. Accessed 19 Aug. 2022. Pathak, Parag. “What Is Threat Management? Common Challenges and Best Practices.” SecurityIntelligence, 23 Jan. 2020. Web. Raza, Muhammad. “Introduction To IT Metrics & KPIs.” BMC, 5 May 2022. Accessed 12 Sep. 2022. “Recommended Practice: Developing an Industrial Control Systems Cybersecurity Incident Response Capability.” Department of Homeland Security (DHS), Oct. 2009. Web. Sharma, Ax. “Sigma Rules Explained: When and How to Use Them to Log Events.” CSO Online, 16 Jun. 2018. Accessed 15 Aug. 2022. |
“Significant Cyber Incidents.” Center for Strategic and International Studies (CSIS). Accessed 1 Sep. 2022. Tom, Steven, et al. “Recommended Practice for Patch Management of Control Systems.” Department of Homeland Security (DHS), 2008. Web. “2021 ICS/OT Cybersecurity Year In Review.” Dragos, 2022. Accessed 6 Sep. 2022. “2021 State of Operational Technology and Cybersecurity Report,” Fortinet, 2021. Web. Zetter, Kim. “Pre-Stuxnet, Post-Stuxnet: Everything Has Changed, Nothing Has Changed.” Black Hat USA, 08 Aug. 2022. Accessed 19 Aug. 2022. |
Research Contributors and Experts
![]() |
Jeff Campbell
Manager, Technology Shared Services Horizon Power, AU Jeff Campbell has more than 20 years' experience in information security, having worked in both private and government organizations in education, finance, and utilities sectors. Having focused on developing and implementing information security programs and controls, Jeff is tasked with enabling Horizon Power to capitalize on IoT opportunities while maintaining the core security basics of confidentiality, integrity and availability. As Horizon Power leads the energy transition and moves to become a digital utility, Jeff ensures the security architecture that supports these services provides safer and more reliable automation infrastructures. |
Christopher Harrington
Chief Technology Officer (CTO) Carolinas Telco Federal Credit Union Frank DePaola
Kwasi Boakye-Boateng
|