IT/OT Convergence or IT/OT Integration? | The State of Security

IT/OT convergence is an oft-repeated term, and maybe it’s the wrong term.

From a technology standpoint, IT/OT convergence has been occurring since at least the 1990s when HMI/Operator Stations began running on Windows and when Ethernet began displacing deterministic custom LAN protocols in the OT realm. This technology convergence has continued with networking, cybersecurity, virtualization, edge, zero trust, etc. The biggest change since the 1990s is that the time lag between technology being common in IT and it becoming common in OT is shrinking, although this process is still measured in years.

Integration vs Convergence

The skill sets required to deploy and manage these computer-, TCP-/IP-, Ethernet-based systems are the same in both IT and OT. So we are seeing some workforce convergence, as well.

Outside the underlying technology, the term “integration” may be more appropriate than convergence when talking about OT and IT.

Even when we look at IT only, everything is not, or at least it should not, be converged into one large, flat system. Desktop management is not “converged” with the ERP system or e-commerce operations. They are different systems with different purposes and different requirements. They are deployed and maintained by different teams in large organizations.

The same is and will continue to be true for OT in relation to IT. The non-engineering portion of OT applications, systems, and services may be the responsibility of “IT,” but it will be a team dedicated to OT. This team’s customer will be Operations, just as the ERP team’s customer is typically Finance.

Integration for the benefit of the business

While we can quibble with the term “convergence,” there is no doubt that the trend to connect, or integrate, IT and OT together for significant business benefits is growing in importance. Originally this involved sending historical process data from OT to IT for a variety of business purposes including billing, regulatory data, and business process reporting. Increasingly, it is being sent for predictive maintenance, efficiency improvements, and other process performance reasons. The future also includes sending OT data to IT so that enterprise cyber asset management, including security and change management, comprises both IT and OT.

Tripwire is a good example of integrating OT and IT asset management along with vulnerability management. Asset owners have long been using Tripwire on the enterprise side of things. There has also been a Tripwire product for the OT world, not to mention the OT heritage and widespread deployments that parent company Belden brings. The Tripwire OT solution has particular traction in the power sector, as it plays a role not only in security and asset management but also in helping utilities meet NERC CIP compliance.

A CISO’s “Single Pane of Glass”

The widespread news of the growing threat and real consequences of cyber attacks on critical infrastructure have resulted in the Board of Directors and CEO wanting answers on cyber risk. And they typically look at the CISO for these answers. Most CISOs don’t want to have separate IT and OT systems with different terminology to show them current risk posture and key metrics. The modern CISO wants to look at the “single pane of glass” to see their cyber security posture and cyber risk. The distinctions of IT and OT are less important than understanding the cyber risk from a business perspective.

The simplest solution is to export the OT data to an IT system and display it. We are seeing this through OT interfaces and connectors from companies like Splunk and ServiceNow. The challenge is risk isn’t as simple, especially in OT, as counting up the number of missing patches. Issues such as exposure, process and safety criticality, as well as security posture need to be taken into account to properly show the business risk to the CISO.

Patching is the most common and simple example. A large number of OT cyber assets have no user or data authentication. For these cyber assets, applying security patches accomplishes little and can be resource-intensive to do on a monthly or quarterly basis. With the exception of immediate patching of exposed OT resources, resources are typically better applied to other OT cyber risk reduction activities rather than monthly or quarterly patching. This differs from IT where most cyber assets are exposed to connections from networks with a lower trust level.

So while the CISO wants to see OT and IT cyber risk in a single pane of glass, it will require the way the key metrics are presented to be different in IT and OT. Otherwise OT will always look like it is at greater risk even though the data for decades has shown that the likelihood of compromise is much greater on IT than OT. As IT/OT cyber risk management integrations increase, vendors will need to deal with these differences. And it is likely that the asset owners will need to have the ability to tune these risk metrics so the presentation of data to the CISO and others is consistent enough to make intelligent cyber risk decisions.

About the Author: For over 20 years, Dale Peterson has been on the leading/bleeding edge helping security conscious asset owners effectively and efficiently manage risk to their critical assets. He has pioneered numerous ICS security tools and techniques such as the first intrusion detection signatures for ICS that are now in every commercial product. In 2007, Dale created the S4 Events to showcase the best offensive and defensive work in ICS security and to build a community. S4 is now the largest and most advanced ICS event in the world. Dale is constantly pushing and prodding the ICS community to move faster and get better.

LinkedIn: https://www.linkedin.com/in/dale-peterson-s4/ 

Twitter: @digitalbond

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.