The convergence and integration between information technology (IT) and operational technology (OT) is by no means a new phenomenon. If anything, the pace of integration can only accelerate as businesses seek efficiencies and lower operational costs. The trend is fully fledged, but the ramifications are still emerging in domains such as cybersecurity risk management. Although the benefits of such integration are appealing, there are risks that need to be managed if business are to protect their assets from cyberattacks.
Gartner defines Information Technology (IT) as, “the entire spectrum of technologies for information processing, including software, hardware, communications technologies, and related services,” and define Operational Technology (OT) as, “hardware and software that detects or causes a change, through the direct monitoring and/or control of physical devices, processes, and events.” OT generally encompasses industrial control systems (ICS), which include supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), and programmable logic controllers (PLCs).
Historically, there was a schism between information technology infrastructure and networks, and those responsible for handling and processing industrial control system data (operational technologies). OT systems were positioned in substantially secure areas and were not integrated with business networks and the internet. They used specialized software, hardware, and protocols such as Modbus. To some extent, this isolation of OT systems implied security by obscurity.
Drivers of IT-OT Convergence
The obscurity of OT systems from the outside world is waning and the line between IT and OT is blurring. Businesses are increasingly connecting their OT with IT networks and infrastructure. The following are the main drivers for the integration:
- Wide availability of IP enabled devices
- Lower cost of commercial off-the-shelf software (COTS)
- The need for efficiencies and synergies with business processes
- Support through remote access capabilities
This convergence in pursuit of enhanced capabilities unmasks OT/ICS to the outside world than precursor systems.
Benefits of Convergence Between IT and OT
Today’s organizations are under increasing pressure to reduce operating costs, improve process efficiencies, and reduce the time to market products. According to IoT World Today, the following are some of the key benefits that businesses derive from convergence of IT and OT:
- Streamlined processes, resulting in greater efficiencies
- Lower fixed costs through elimination of redundant systems
- Ease of performing security and other analytics
- Facilitation of business process engineering through advanced use of analytics in OT systems
- Transfer of best practices to OT (e.g., patch management)
- Real-time tracking of OT devices.
Risks Arising from Improperly Managed IT-OT Convergence
Despite the promise of higher stakeholder returns from lower operating costs, higher efficiencies, and synergies, there are inherent risks that can impact the realization of these benefits. ISO 31000 defines risk as the effect of uncertainty on the achievement of objectives. According to NIST SP.800-82, poorly managed integration of these two systems may lead to the compromise of OT systems, implications of which include:
- Disruption of ICS due to blocked or delayed flow of information through ICS networks
- Unauthorized changes to instructions, alarm thresholds, and logic, with the potential of endangering human life
- Inaccurate information sent to system operators, causing the operators to initiate inappropriate actions, which could have various negative effects
- Unauthorized modification of configuration settings
- Interference with operation of safety systems, among other key functionalities
- Legacy devices that are not designed securely may be used as a platform for launching cyberattacks.
ISO 31000 Risk Management Framework
Given the potential risks resulting from the convergence of IT and OT, organizations and their boards should develop comprehensive risk management approaches to ensure their businesses exploit the benefits of integration while optimizing the risks. The following risk management approach adopted from ISO 31 000 (Risk management- Principles and guidelines) can help entities in navigating the threat landscape.
The rationale for using this framework, which is traditionally associated with enterprise risk, is that cybersecurity risk is a business risk which can be addressed using the same principles adopted for other entity-wide risks. The use of ISO 31000 also allows integration of the process of managing various enterprise risks with overarching governance systems in the organizations.
The Risk Management Process
To effectively manage the risk posed by IT and OT convergence, there should be proper communication and consultation between IT and OT personnel during all stages of the risk management process. Other relevant stakeholders such as the C-suite and board should be appraised of the pertinent risks and the approach undertaken by management to address these risks. For organizations with mature enterprise risk management processes, communication and consultation can be done through established risk governance structures such as the risk management committee, board audit committees, and board risk committees.
Communication and consultation should address issues such as risk tolerance, emerging risks, and threat intelligence, among others. Consultation and communication will enhance collaboration between the two traditionally disparate camps and help ensure success of the risk management efforts. Reference models such as ISA-95 can also assist in establishing clear communication protocols by identifying scope of the convergence and responsibilities of the parties involved.
The first step in managing the risks of IT-OT convergence is to establish the context. This step is critical as the application of risk management to specific sectors or situations requires consideration with the unique needs, perceptions, and strategic objectives of the organization. It helps to ensure that the risk management approach is relevant to stakeholders. For IT-OT integration risks, this could imply considering regulatory compliance requirements, health safety and environmental considerations, criticality of the business applications, and operations technology functions to the mission of the organization.
After establishing context, the next step would be the identification of risks arising from improperly managed convergence. This step may include analyzing the sources of risk events. These could be poorly configured firewalls, weak identification and authentication mechanisms, and inadequate segregation of duties in key applications. It is imperative to include people with diverse backgrounds to ensure that a comprehensive list of risk is available for further analysis. Techniques such as Delphi, scenario analysis, and brainstorming among others could be used depending on the audience and the maturity of risk management processes within the organization. The outcome of this second step is a list of all potential risks that could occur due to increased use of internet-enabled devices in OT.
Information from the risk identification process feeds into the third step, which is risk analysis. Risk is analyzed by taking into consideration the following:
- Causes of risks
- Positive consequences
- Negative consequences
- Impact
- Likelihood
Depending on the needs of the users, availability of information, and criticality of the IT and OT processes to the mission of the organization, risk analysis can be qualitative or quantitative. The most common output of the risk analysis step is the computation of inherent risk. That is, risk before taking into consideration the effect of controls. It is computed by multiplying consequence rating by the likelihood rating.
The fourth step in managing the risks of IT-OT convergence is risk evaluation. This step uses the inherent risk from the previous steps and compares it with criteria developed as part of setting the context to determine risk responses. This criterion is most often risk tolerance levels which are set by the board and senior management. For IT-OT convergence risks, criterion could be zero tolerance for traffic from internet traversing ICS network.
Risk treatment would be the fifth step in managing the risks of convergence. It involves making decisions on how the organization would bring the inherent risk considered to be unacceptable in the previous steps within the defined risk tolerance limits. According to ISO 31000, risk treatment is a cyclical process of:
- Assessing a risk treatment
- Deciding whether residual risk levels are tolerable
- If outside tolerance limits, generating a new risk treatment plan
- Evaluating the effectiveness of the treatment.
Risk treatment may involve consideration of several control measures for IT-OT, such as:
- Demilitarized zones between the IT and OT networks
- Firewalls
- Multifactor authentication mechanism on privileged OT accounts
- Employing secure network protocols and services
- Establishing security zones and security levels for both systems
- Unidirectional gateways
Treatment of risk does not necessarily imply diversifying away all the risk. Risk is inherent in all business operations. Apart from reducing risk through implementation of controls, other risk treatment options include:
- Risk avoidance and completely isolating OT from IT networks: This option looks very much unlikely to be exercised in practice
- Risk sharing (cyber insurance policies)
- Changing the likelihood
- Changing the consequence
There are several issues to consider when selecting an appropriate risk treatment option. These include risk capacity of the organization, risk tolerance, and the criticality of OT-IT to the mission of the organization, among others.
To ensure the effectiveness and continuous improvement of the risk management process, the organization should monitor and review the entire IT-OT risk management process. The review process can be scheduled or conducted as required. For the review to be effective, parties independent of day-to-day management of the risks such as IT Auditors should be charged with providing assurance on the risk management process. They could report results of their review to a board committee or to senior management.
The convergence of operational technology and information technology is accelerating at breakneck speeds with the adoption of advanced process control systems such as the Industrial Internet of Things (IIoT) and Industry 4.0. There are a multitude of benefits that organizations can leverage for their stakeholders from greater integration. Sadly, the cybersecurity implications of such integration are less understood. Organizations should develop structured and systematic risk management methodologies to protect their assets from cyberattacks while benefiting from OT-IT convergence.