Building a Resilient World:
The ISAGCA Blog

Welcome to the official blog of the ISA Global Cybersecurity Alliance (ISAGCA).

This blog covers topics on automation cybersecurity such as risk assessment, compliance, educational resources, and how to leverage the ISA/IEC 62443 series of standards.

The material and information contained on this website is for general information purposes only. ISAGCA blog posts may be authored by ISA staff and guest authors from the cybersecurity community. Views and opinions expressed by a guest author are solely their own, and do not necessarily represent those of ISA. Posts made by guest authors have been subject to peer review.

All Posts

Architecture vs. Design

Many Operational Technology (OT) projects start with identifying the requirements and then diving straight into the design phase, where common OT security principles were neglected or ignored. Just because it is easy to begin and start designing, doesn't mean that an organization should. It would be a mistake for any organization to simply begin designing the requirement without a strategy. For an organization to be able to implement a secure OT strategy, it is important that they design a comprehensive security architecture.

In fact, OT networks are, as some have observed, like M&M candies—“soft” on the inside, and they’re not particularly “hard” on the outside, either. Once attackers get into an OT network—either via the internet or using stolen credentials to access existing pathways between IT and OT—it’s relatively easy for them to move around to perform cyber-reconnaissance and compromise industrial devices, hence that comprehensive security architecture is not only required but should be mandated to securely design the network inside and out.

Distinguishing between design and architecture is very important for any project. Before it's possible to have a comprehensive architecture, it is important to know the distinction between architecture and design and the pitfalls that organizations experience by not making that distinction.

First, let's focus on the differences and the importance of architecture and design. When developing a secure strategy, an organization must come to terms with a common issue. A problem with technology consultants in general is that when presented with a business opportunity or problem to solve, they typically immediately devise a technology solution.

A technologist or a cybersecurity professional is invited to a meeting featuring a business opportunity or a problem, and because they are accustomed to being pressed for a quick answer, they will typically have a technology solution in mind before the meeting is completed. They leave that meeting and then move quickly to devising a technological solution. The issue gets compounded when there are multiple departments and people that are responsible for solving problems, as each of the individual solutions lack congruity and the ability to seamlessly integrate.

Often, additional solutions are needed for integrating individual solutions. The problem stands from a lack of clarity in the organizational architecture and an impulse to rapidly design solutions without being informed by an overarching architecture.

Proper architecture is a technology-agnostic description of a business requirement that allows an organization to see strategically off into the future beyond the problems and opportunities of a single implementation. While design is important, you must first have a translation of the organization mission goals and the requirements that is represented in the architecture.

Benefits of Having a Good Architecture

Having an architecture first allows the organization to solve technology and service problems in a collaborative manner. The organization is better capable of asking questions related to business requirements that haven't been asked, which leads to the secure strategy required to implement that architecture. Good architecture also highlights the pros and cons of specific technology which business might want to establish in long-term strategy goals. Good architecture also assists an organization in moving away from immature, reactive behavior and being more proactive.

In the end, it has always been assumed that OT networks are secure because they were “air-gapped”—that is, they were physically separated from the internet and from corporate IT networks. However, industrial networks contain a complex mix of specialized protocols, including proprietary protocols developed for specific families of industrial automation devices. This heterogeneous mix complicates security for OT environments. Hence, a good secure architecture will not only improve the security posture of your organization but will also reduce the attack surface by helping the organization for a secure design.

Achal Lekhi
Achal Lekhi
Achal Lekhi is a diligent and detail-oriented operational technology security specialist professional with a strong academic background and hands-on experience in several complex roles in different sectors. Achal is a quick thinker, with an ability to wear multiple hats — strategic, technical and logical for a given requirement. He believes strongly that there is no problem in the world that does not have a solution! Currently, Achal works as an operational technology (OT) security consultant across several industries globally. He has an excellent blend of technology capability, OT/IT awareness, network and information security and risk and compliance with a detailed understanding and experience of implementing OT security and cybersecurity standards.

Related Posts

North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) and ISA/IEC 62443 Comparative Analysis

The Utilities Technology Council and Cumulys recently prepared a report in partnership with the ISA Globa...
Kara Phelps Dec 13, 2024 7:00:00 AM

Securing PLCs Through the Backplane: Balancing Performance and Simplicity

With the increasing convergence of operational technology (OT) and information technology (IT), the need ...
Ashraf Sainudeen Dec 6, 2024 7:00:00 AM

Practical Insights for Implementing Control System Security

Introduction In this blog post, we’ll share practical insights from operational experience in managing cy...
Pinakin Gokhale Nov 29, 2024 7:00:00 AM