The intersection and evolution of operational technology (OT) and information technology (IT), as well as the cybersecurity risks associated with both are becoming increasingly critical business challenges for organisations of all sizes, across all geographies.
As digital transformation expands into OT environments, convergence with IT systems is inevitable. This convergence may generate exciting business opportunities, such as creating new sources of income and improving business outcomes, but it also presents new cybersecurity risks and complexities, for which many industry leaders are not prepared.
Why Is OT/IT Convergence So Complex?
There are many overlapping forces driving the OT and IT worlds together, creating a hairball of complexity from varying sources:
- People: OT and IT communities are historically different in many ways (technological, operational, regulatory and culturally) and have different priorities and focuses.
- Technology: The age of technology in OT environments means that legacy equipment and machinery are often incompatible with the latest IT software, increasing their vulnerability to cyberthreats.
- Mindsets: Historically, ‘secure by design’ has not been a focus in OT. System uptime and employee safety have traditionally been prioritised over cybersecurity in OT environments, unlike IT where cybersecurity is ingrained.
Understanding the Risk and Impact
OT/IT cybersecurity is a strategic issue, not just a technical requirement, and it must be designed into systems as early as possible. The consequences of not acting from the start far outweigh any advantages gained by disregarding the issue.
This is particularly true for critical infrastructure, such as water purification systems, power grids, air traffic control systems, communications networks and battlefield command-and-control systems, all of which are open to potential cybersecurity risk. Always assume that your adversaries are willing to exploit your Achilles heel when it comes to securing OT/IT systems.
Key Attention Areas in OT/IT Convergence
All senior business leaders should consider the following areas with OT/IT convergence and cybersecurity:
- Mindset: Industry leaders need the right mindset to balance cybersecurity best practices with a seemingly endless number of new devices and data sources caused by OT/IT convergence.
- Technology: Technologies, such as artificial intelligence, machine learning and cloud computing, represent both opportunities and threats in the world of OT/IT cybersecurity. Modern technology systems must be built with tomorrow’s security risks in mind.
- Compliance: The NIS Directive and its follow-on NIS2 Directive outline the responsibility for organisations to take reasonable steps toward a solid cybersecurity posture. This applies to the increasingly digital OT world because of the classification of many OT systems as a critical infrastructure.
- Teams: Organisations need to recognise and confront the cultural silo separating OT and IT teams in order to reduce complexity, promote collaboration and achieve a reliable, frictionless state of OT/IT cybersecurity.
- The cloud, data and device proliferation: When digital OT systems are infected, the attacks easily and quickly move laterally over a mesh of intersecting networks, carrying ‘digital germs’ with them. The risk here is high, particularly with the huge proliferation of devices and data from converged workloads in the cloud.
- The future: There is a growing urgency from business stakeholders to make OT systems more digitally driven to ensure agility and efficiency. Boards that are now prioritising OT/IT cybersecurity are making a strong statement about the business implications to this strategy.
Next Steps
To help you understand and prepare for the cybersecurity risks inherent at the intersection of OT and IT, we have captured insights and recommendations from forward-thinking industry experts in a new guide: Executive Edge: Peer Insights - Complexity at the intersection of IT and OT.
This Peer Insights guide for C-suite executives explores how to streamline security, reduce complexity, and anticipate threats across the IT/OT environment, ultimately helping you drive change within your organisation.
Download the Peer Insights guide.