Integrating IT And OT Security To Fully Address Business Risk
Jason is the Director of Cyber Risk at Dragos & a SANS certified instructor and author for critical infrastructure protection.
Since the dawn of the Industrial Revolution, business owners and operators have had to manage business risk as well as the risks to the health and safety of their workers and their communities. For centuries, this has been a hands-on task, protecting primarily physical premises and processes. With the advent of the information revolution, the game and the stakes have changed. Today’s digital environment creates a new range of risks and responsibilities in ensuring physical security.
The integration of information technology (IT) with operational technology (OT) means that systems and processes that once were logically isolated are now exposed to the same cyber threats as the IT world. Businesses are no longer stand-alone operations; they are components of critical infrastructures and supply chains, which significantly increases their exposure to risks.
The need for integrating OT and IT security for risk management is evident, but OT and IT security have developed separately—creating risky and expensive security silos.
Despite the need for coordinated security, fewer than half of the companies included in a Ponemon study said their IT and OT cybersecurity procedures and policies are aligned. The primary causes for this disconnect are the cultural differences between IT and OT teams as well as the technical differences between their respective best practices and what is possible in OT environments—in short, a cultural divide.
Products Of Different Worlds
OT comprises the systems that control and manage physical assets and processes. Businesses rely on these critical systems for everything from managing production lines and distribution networks to operating HVAC systems. Originally engineered and architected as proprietary stand-alone systems, they now often use off-the-shelf IP-addressable equipment connected with traditional IT systems. The same technology that enables administrators to remotely manage OT systems also makes it possible for adversaries to compromise them.
IT and OT systems have evolved with different missions. IT has become…
