Assessing the Operational Security Risks in the IT/OT Convergence

Typically, industrial operations are inherently brownfield environments. Consequently, when we try to deploy legacy air-gapped operational technology (OT) systems, it often lacks the conventional IT environment (and its architecture). Nonetheless, while establishing these remote linkages to operational data and systems, we concurrently expose the operations environment to new threats, such as unauthorized data access, corporate espionage, and the potential for harm to health, safety, and vital infrastructure. That's why organizations must work inside this challenging legacy environment to digitize, monitor, diagnose, and ultimately develop autonomous capabilities.

Businesses often pursue?Industry 4.0?use cases without a comprehensive security strategy and holistic approach. Unfortunately, this introduces substantial hazards that companies frequently fall prey to it. One such issue is failing to contextualize the data and connectivity of a particular asset or process within the context of upcoming work or work processes. In addition, this lack of a strategic approach creates challenges downstream when companies look to advance monitoring, diagnostic, and control capabilities and utilize the data for use cases. The following points can summarize those?"downstream challenges":

• There are blind spots in visibility into a specific process or asset, which limits the capacity to contextualize the data for valuable insights across all significant applications and use cases.
• By installing technologies in silos, additional heterogeneity and complexity are introduced, creating difficulties in managing them at scale and increasing the difficulty of controlling and safeguarding the whole environment.
• Organizational difficulties originate from the reinforcement of segregated/siloed duties in physical vs. digital asset management, physical security against cybersecurity, and physical versus digital process management (e.g., data management versus process execution).
• Absence of a holistic (and continuous) strategy and tactics for monitoring all equipment, software, and operating systems connected to the company's IT/OT network.

In over 1,000 industrial IT and operations experts,?IDC's 2020 Worldwide IT/OT Convergence Survey?found that security concerns about integrating IT and OT systems were the main roadblock at more than 50% of the organizations surveyed.?Despite this, businesses continue to push forward with the development of capabilities for Industry 4.0 while considering security as an afterthought. Current approaches create downstream difficulties that compound security concerns, and IT/OT convergence can become more complex.?For instance, establishing blind spots in terms of the asset's visibility makes the already difficult task of safeguarding that asset more difficult. In addition, isolated deployments of technology make it considerably more challenging to design a security program that considers all of the entry points?via?which a threat could compromise operations.?

Besides that, it is pretty challenging to discover substantial anomalous changes to data and applications when an organization separates the management of data and networks from the activity of actually carrying out work.?Concurrently, the very nature of IT/OT convergence has increased the overall threat surface area for an organization in some of its highest risk contexts, namely those where human health and safety are at stake.?So now, it is necessary for businesses that have put the cart before the horse to create and implement an all-encompassing plan that takes into account both the efforts that have been made in the past and those that will be made in the future.

In conclusion, the convergence of IT and OT is not a matter of personal preference but an emerging and developing reality. The COVID-19 outbreak sped up the transition to digital formats, which was already underway.?The on-premises security teams deployed earlier are now dispersed to other branch offices and home offices. The proliferation of the Internet of Things devices is not being matched proportionally by adding additional IT/OT/IoT staff members.?And even though the current challenges (as mentioned above) about OT security are problematic, organizations are discovering that integration?via?the public cloud results in cost savings in storage, advantages in cloud computing, and an easier path to push one-to-many software upgrades to local machines.?However, suppose the integration is being carried out accurately. In that case, businesses will eventually adapt cybersecurity as an integral part of their operational processes, guaranteeing continued sustainability over the long run.

About the Author:

Rahul Guhathakurta?(ORCID: 0000-0002-6400-6423) is a strategic management consultant and is currently affiliated with Anaha Innovations — an Ahmedabad-based technology business incubator and private equity firm. Also, he is a primary investor in IndraStra Global — a US-based publishing company.

NOTE: This article was originally published at?IndraStra.com?on July 16, 2022.