Many industrial companies have passive cybersecurity programs that can’t deal with today’s sophisticated threat environment or ensure the security of broad remote worker enablement and digital transformation programs. Industrial companies need active defense programs that can stop sophisticated attackers before they impact operations and threaten worker safety. Many see IT-OT cybersecurity convergence as a cost-effective way to address today’s and tomorrow’s cybersecurity challenges. The recent ARC Industry Forum, which was held virtually this year for the first time, included a substantial cybersecurity program, and managing this convergence of IT and OT cybersecurity domains was discussed in several sessions. Here’s a brief summary of some of the key issues we discussed:
IT-OT Cybersecurity Convergence Addresses Security Gaps
While companies increasingly appreciate the serious gaps in conventional industrial cybersecurity programs, addressing these issues is challenging. The global shortage of cybersecurity professionals, particularly those with OT experience, makes it difficult to hire additional staff. Operating constraints limit the access that security teams need to keep defenses updated. Emphasis on isolation as the primary defense constrains the visibility of vulnerabilities and abnormal system behaviors.
An onslaught of new cybersecurity challenges also diverts everyone’s attention from existing problems. Today, security teams have to develop security strategies for cloud data, in-motion and at-rest; apps that are being moved to the cloud; remote access users and all their devices; the security of new IoT devices and embedded systems; and, provide secure environments for edge compute platforms. The fluidity of all of the deployment options make it impossible for companies to maintain security unless they have:
• End-to-end security solutions that span every endpoint and communication pathway
• Centralized management of consistent security policies
• Zero trust security for every step of every system interaction
Plants and facilities will clearly struggle to make the needed investments in OT cybersecurity people, processes, and technologies to address existing gaps and new challenges. But most companies already have IT security teams with the people, processes, and technologies in place to deal with these issues. Those that don’t will certainly need to make investments in IT security. Converging IT and OT cybersecurity programs provides a way to leverage these capabilities and investments to improve OT cybersecurity.
There will always be core OT-specific cybersecurity issues that require unique people, processes, and technologies. But this doesn’t mean that they can’t be addressed as part of a converged cybersecurity program. Trying to maintain siloed IT and OT cybersecurity programs will only frustrate efforts to address existing and emerging security challenges and increase the risks of deploying new business strategies that integrate traditional IT and OT systems with cloud, IoT, and mobile solutions.
Industrial Leaders Share Cybersecurity Visions
The current state and future needs of OT cybersecurity strategies were the focus of the first cybersecurity session at ARC’s 2021 Virtual Industry Forum. ARC Advisory Group provided an analyst’s view of the topic based on the company’s 10 years of qualitative and quantitative industrial cybersecurity research. Three distinguished end users also shared their views. This included: Ian Henderson, VP Automation System Security at BP; Nathan Faith, Corporate Nuclear Security, Cyber Security Manager at Exelon Generation; and, Eric Cosman, Contributing Consultant at ARC Advisory Group, who spent 37 years with Dow Chemical and was the Co-Chair of the ISA committee that developed the ISA99/IEC-62443 standard.
ARC encourages you to view the recording of the full session by registering for the ARC 2021 Virtual Industry Forum at our event site. The Industrial Cybersecurity Today and Tomorrow Part 1 session can be found in the agenda under Day 1, Track 4. Registration will also give you access to the recordings of all the Forum sessions, including those in our extensive three-day cybersecurity program during the first week and a great session on smart cities cybersecurity during week 2. We had an impressive set of end-user speakers and roundtable discussions on a variety of hot topics like IT/OT cybersecurity convergence, the Mitre ATT&CK Framework for ICS, and Software Supply Chain Security.