Many industrial companies are considering converging their IT/OT cybersecurity convergence programs to address security gaps, optimize use of limited cybersecurity resources, and enable secure deployment of digital transformation programs. At the same time, they recognize that convergence can be challenging given the differences in culture, goals, and environments.
ARC Advisory Group devoted two sessions to this important issue at the 2019 ARC Industry Forum in Orlando, Florida. Part 1 of this report discusses the findings of the workshop conducted on the first day of the Forum. Part 2 of the report will discuss the presentations given on the second day of the event by three CISOs who lead converged programs.
The IT/OT Cybersecurity Convergence workshop began with a brief ARC presentation about the goals, challenges, and strategies underlying many convergence programs. This provided a framework for the subsequent panel discussions. Panelists included three IT leaders and three OT leaders. All are actively involved in successful convergence efforts. They discussed the challenges they encountered and the methods used to build integrated IT/OT cybersecurity programs.
IT/OT Cybersecurity Convergence Challenges and Strategies
IT/OT cybersecurity convergence has the potential to solve many industrial cybersecurity challenges. Shared responsibility for the security of IT/OT interfaces can help companies eliminate malware propagation across systems. Cross-trained, collaborative teams can fill critical expertise gaps and improve incident response efforts. Common processes and metrics can increase visibility of risks and help companies focus efforts and investments on the most critical issues.
To reap these benefits, organizations need to make changes in every aspect of their cybersecurity strategies.
An integrated technology strategy is essential to ensure full visibility of vulnerabilities and threats. This also amplifies the effectiveness of resources and minimizes licensing, training, and support costs. While conditions may require different solutions for IT and OT, effort must be made to ensure that these tools are compatible and fully integrated.
From a process perspective, organizations need to rationalize cybersecurity activities and ensure that every aspect of the company’s operations has the same level of security and visibility. Companies cannot afford to have any weak links in their security chain. Key areas to consider include managing vulnerabilities and detecting anomalous events.
Integrating cybersecurity teams is probably the biggest challenge for companies considering IT/OT cybersecurity convergence. Significant differences in IT and OT cultures must be overcome to drive effective collaboration and cross-domain support. Establishing the right organizational structure is essential.
The most common strategy seems to be creating a single cybersecurity organization charged with three major objectives:
- Shared, end-to-end responsibility for securing all business processes
- Global corporate governance of all cybersecurity policies, procedures, technology, guidelines, etc.
- Continuous management of all cyber-assets, vulnerabilities, and threats regardless of where they appear
This may be implemented through formal organizational changes or through virtual teams of people who work in all of the related areas like IT operations, OT operations, and security operations centers (SOCs). Most organizational plans also include third parties with specific expertise. These are often used for peripheral tasks like program audits, system assessments, and pen testing.
The CISO, CIO, or someone else in top management is generally given responsibility for overall coordination and reporting to the board of directors.
End User Concerns and Suggestions
Six end users participated as workshop panelists. These included Dawn Cappelli, CISO at Rockwell Automation; Mandy Huth, VP Cybersecurity at Kohler Corporation; Tammy Klotz, Information Security Director for Versum Materials; Rob Cox, Manager Operations Technology at Georgia-Pacific; Chris Da Costa, Operations Technology–Cyber Security Manager for Air Products and Chemicals; and, Jim LaBonty, Director, Global Technology & Engineering for Pfizer.
This mix of IT and OT expertise was intentional to help ensure a good mix of perspectives. While their comments reflected these different backgrounds, it was heartening to see similar views regarding convergence benefits and challenges. Recommendations for overcoming the roadblocks also indicated a shared view of cybersecurity as a separate discipline. Ideally, these professionals can support cyber-assets in any environment once they are trained in the unique needs and constraints. Some key observations panelists noted during the discussions follow.
There was general consensus that people represent the biggest challenge in IT/OT cybersecurity convergence. Building trust between IT and OT personnel is essential and should be fostered through collaborative involvement of both groups to develop common metrics, standards, policies, and processes. Common terminology, shared understanding of risks, and recognition of individual strengths facilitate effective teamwork and help focus everyone’s effort on the issues that represent the most risk to the entire organization.
Gaining support from plant operations and engineering is equally important. This requires successful interactions that demonstrate respect for plant performance goals. Plant engineers are often happy to offload responsibility for cybersecurity tasks like patching, but only if they are confident that cybersecurity professionals will not create problems for normal system operation.
All panelists expressed the importance of developing and retaining cybersecurity resources. The general shortage of cybersecurity experts frustrates efforts to hire people and all face the challenges of aging workforces. They stressed the importance of giving employees rewarding assignments and establishing clear career paths for people who join the cybersecurity team.
ARC Advisory Group clients can view the complete report at ARC Client Portal
If you would like to buy this report or obtain information about how to become a client, please Contact Us
Keywords: Information Technology, Operational Technology, IT/OT Convergence, ARC Industry Forum, Cybersecurity, CISO, ARC Advisory Group.