What OT/IT Convergence Means for your Industrial Organization
How Connectivity is Affecting Your Cybersecurity Risks and How to Manage
The evolution of Operational Technology (OT)/Informational Technology (IT) convergence across different types of industries such as oil and gas, refining chemicals, power and more, has evolved over the years from being viewed as solely connectivity into a full cybersecurity practice that includes assessing, designing, integrating and advisory consulting.
Often, convergence and integration terminology get misused which causes confusion towards what businesses really need in terms of cybersecurity. IT/OT convergence can be thought of in two parts, first is technology convergence which has been happening across organizations for over 40 years. This includes IT technology such as ethernet, Windows, domains, virtual infrastructure, etc. being used in an industrial control system environment. The second part is integration, and this is driven by business need. Organizations have found that there is a business need to connect control systems with IT systems for driving data and by connecting these networks, we are following the convergence of technology, where IT systems are brought into control systems environments and the integration of these and the increased cyber risk that comes along with that.
How IT/OT Convergence Is Affecting Cybersecurity Risks
Cybersecurity risk comes into play because now our environments and our businesses are more dependent on new technologies that are now converging, integrating and connecting together. As we become more dependent on technology due to IT/OT convergence, the impact of cyber incidents increase, and the impact of an incident is greater.
The industrial environment, for example, is primarily dominated by safety, making organizations in the chemicals, oil and gas, and refining industries earlier adopters into control systems security and cybersecurity. Maintaining protection on critical infrastructure is very important for industrials as cyber risk incidents can affect health and large populations if gone undetected and being an early adopter into convergence enables these legacy buildings and organizations to save costs with new technology. Instead of re-building multi-million-dollar facilities, new convergence technology helps increase reliability, lower emissions, better production and increase quality. The key to success is knowing where you stand in your cybersecurity journey and how to continue mitigating incidents.
Cybersecurity Isn't A Destination, It's A Journey
Each new company, customer and individual has a different starting point or different maturity level that they are on when it comes to cybersecurity within their organization. Companies may have just started figuring out that they need cybersecurity but do not know where to begin or they could be on the other end of the spectrum, where they are very mature and they just need some advanced advisory to help them fine tune their efforts or fill in a couple of gaps, or they could be somewhere in the middle. By bucketing organizations into three phases, it helps them to realize what they need in order to progress.
- PHASE 1: At the beginning phase, companies are just focused on foundational items. Getting assessments to understand what to do next with consultants or experts is important. They’re working on their network infrastructure and network perimeter to get their control systems isolated and protected from the internet and business networks and trying to deal with malware prevention, patching, and more. But mostly, these phase 1 organizations are just trying to reduce their risk without a ton of control systems’ knowledge.
- PHASE 2: This is the phase where organizations are starting to improve. They are focusing on the perimeter, basic blocking and tackling and moving onto training to change their cybersecurity processes and procedures such as change management procedures, document management and approval process that now include cybersecurity. With basic detection capabilities, these companies are starting to build data with dashboards to help with risk management.
- PHASE 3: This is the more progressive and advanced phase. Organizations are looking at contracts, embedding cybersecurity into their engineering processes to address and manage cyber risk before a new control system goes live, and they are more risk informed. Meaning, they evaluate the risk of a new investment, new technology and move into a mode of continuous improvement.
When External Services Prove To Be Beneficial
Most commonly, organizations start out with the ‘let’s solve this problem ourselves’ mentality. But then start to realize that the technology they need, the skills they need, the costs, the speed, the urgency, etc. to achieve these capabilities is when outside help is necessary. External managed services can come in at any phase to help an organization. At the assessment point, they can help determine how to prioritize where a company needs to start, they can then help to outsource control systems, cybersecurity or certain elements as significant cost savings. Additionally, an outside provider is able to bring leading capabilities in a matter of months, as opposed to what could have taken the organization years to try and attempt on their own with limited resources.
Many external consultants and advisory organizations, such as Honeywell, are able to quickly spot red flags for when organizations should beef up their cybersecurity. Lagging indicators, as in ‘you don’t know what to do next,’ is the most common red flag Honeywell cybersecurity experts see. If you don’t know whether to invest in a new technology or training, or to improve a process, then that is where an assessment is great at helping prioritize. These external services help provide that assessment and help suggest what you should do in the next 1, 3, or 5 years out. Other lagging indicators could be that a large amount of rogue devices or shadow infrastructure is appearing on the network, often indicating engineering or approval processes that need to be approved, zero detection capabilities or the lack of 24/7 monitoring.
With consistent monitoring and early detection, organizations can move into the mode of being proactive instead of reacting to a ‘fire.’ In cybersecurity, the ability to detect and investigate suspicious cyber behaviors, logins, network communicators, use of tools, unauthorized software, and more enables you to actually intervene or take action before the event happens, reducing the likelihood of an incident. Responding to these small ‘fires’ can prevent it from becoming a big ‘fire.’ When health and safety is a top priority of your business, controlling cyber risk is more important than ever
To learn more about cyber risk, how to prevent it and key software applications that can help, listen to our full podcast episode on the convergence of IT and OT for industrial companies here.