Operational Technology is comprised of the hardware, software, and networks that actuate, control, monitor, and analyze physical processes, machines, and infrastructure used in various industries such as manufacturing, transportation, health care, power generation and distribution, pharmaceuticals, oil and gas, water treatment, etc. OT encompasses multiple categories including Critical Infrastructure Systems (CIS) for civil and national interests, such as power generation and distribution, traffic control, water treatment, etc.; Industrial Control Systems (ICS) such as SCADA nodes, Programmable Logic Controllers (PLCs), and Human-Machine Interfaces (HMIs) that are in used in manufacturing, warehouses, pharmaceutical, agricultural, transportation, and oil and gas industries; and Industrial Internet of Things (IIoT), which include commoditized IP-enabled sensors that are commonly used in CIS and ICS environments today.
OT systems face cybersecurity threats that are different from enterprise IT because the equipment, software, and communications protocols used in these areas are often not the same as found in IT environments. However, given the push for Digital Transformation and the benefits it offers, many OT-deploying organizations have connected ICS, IIoT, and even CIS networks to their IT infrastructure and cloud services. Moreover, many organizations have deployed common enterprise IT hardware and software as well as commoditized Internet of Things (IoT) devices (such as temperature and lighting sensors, Wi-Fi cameras within their OT networks. This opens these OT environments, some of which had been physically air-gapped previously, to the ever-evolving threat landscape of IT.
Over the last few decades, enterprise IT departments have developed management hierarchies for handling their sprawling technology estates. However, some organizations that have OT assets have not integrated OT management, particularly security, into that enterprise IT management array. In most cases, there are historical reasons for this separation of duties.
Why IT and OT are often not aligned at the enterprise level
Power utility companies: These organizations have highly specialized and critical OT hardware and software. In some jurisdictions, regulations mandate logical and physical separation of OT assets from the enterprise. Different teams have managed the OT and IT environments, and to this day their reporting structures are not combined. They may have different budgets and even different security policies.
Conglomerates with autonomous or semi-autonomous business units: Companies that have acquired others but without strong centralization of IT (not to mention OT) very often leave most of the management and infrastructure as it was prior to the acquisition. This means that there may be multiple CIOs and CISOs as well as OT security managers, and little impetus for alignment of security technologies and policies.
Security and safety: IT security departments seek to ensure the confidentiality, integrity, and availability of information and assets. Organizations with OT must also maximize human safety, which means that OT equipment must fail-safe to prevent worker injuries, prevent contamination of products and services, ensure national security, and protect the public at large from catastrophic incidents. These objectives may sometimes compete with enterprise IT policies; therefore enterprise IT security and OT security remain distinct in some of these organizations. For examples of security solutions for ICS, see our Market Compass.
The US National Institute for Standards and Technology (NIST), in their special publication NIST SP800-82r2 Guide to Industrial Control Systems Security (p. 45), states that:
The information security team should report directly to the information security manager at the mission/business process or organization tier, who in turn reports to the mission/business process manager (e.g., facility superintendent) or enterprise information security manager (e.g., the company’s CIO/CSO), respectively. Ultimate authority and responsibility rests in the Tier 1 risk executive function that provides a comprehensive, organization-wide approach to risk management. The risk executive function works with the top management to accept a level of residual risk and accountability for the information security of the ICS.
Though NIST recommends that ICS security responsibilities bubble up to enterprise CISOs, that is largely not the case in many enterprises with OT (of which ICS is a subset), as reflected in the Fortinet 2022 State of Operational Technology and Cybersecurity Report (p. 9), which states that only 15% of organizations with OT have the security responsibility aligned through the enterprise CISO.
Aligning enterprise IT and OT security is certainly a best practice for risk management, considering the increasingly blurry lines of demarcation between the types of technology. Combining IT and OT security at the enterprise risk management level as well as at the technical integration levels present opportunities for synergies that can increase the overall cybersecurity posture of organizations with OT.
Recommendation: Enterprises with OT components must begin the journey toward centralizing security policies, technologies, and management under the purview of enterprise CISOs.
Attend KuppingerCole’s cyberevolution
KuppingerCole is hosting our cyberevolution conference in Frankfurt, Germany on November 14-16, where we will discuss leading edge topics such as digitalization, cybersecurity, and the impact of AI. There will be tracks for cyber resilience, securing the autonomous world, the cybersecurity fabric, supply chain security, and unified security for IT, OT, IoT, and IIoT. We hope you can join us for this one-of-a-kind event.