September 2021
Prepared By
Tom Finan, Chairman of the Board
Overcoming Challenges - Shifting to IT/OT Continuum
In recent years, many publications have been written about IT/OT “convergence” – the integration of Information Technology (IT), the hardware and software that processes data, with Operational Technology (OT), the systems that control industrial operations. In short, this convergence involves connecting IT networks with previously isolated OT systems in order to drive organizational efficiencies.
Unfortunately, many organizations are experiencing a persistent tug of war between their Chief Information Security Officers (CISOs) and Operations Leads over who should direct IT/OT cybersecurity efforts. This tension not only prevents the full realization of benefits that true convergence could bring, it also increases the likelihood that critical risks will be left unaddressed. A shift from the term “IT/OT convergence” to “IT/OT continuum” – where cybersecurity responsibility is determined by the protected function of concern – would help overcome these challenges.
Ensuring the Success of IT/OT Convergence
The gains promised by IT/OT convergence are legion. They include enhanced operational performance and related cost savings, improved coordination of cybersecurity investments and practices, elimination of unneeded hardware and software, better use of equipment and staff to address problems, and significant reductions in unplanned downtime caused by cyber-attacks.
What obstructs this progress? Regrettably, the limits of convergence itself. The dictionary defines the word to mean “a coming closer together, especially in characteristics or ideas.”
That’s all well and good, but successful IT/OT convergence requires something more – specifically, leadership that makes that “coming closer together” actually happen. Such leadership, however, should not be a static affair. Whether a CISO or Operations Lead has final say instead should be determined by the particular function that a particular cybersecurity effort is designed to protect.
This functional approach would help ensure effective cyber risk management along the IT/OT continuum by clarifying the “expert” in any given situation. For many years, CISOs were the only game in town because of what cybersecurity has historically entailed: protecting the confidentiality, integrity, and availability of data.
CISO expertise is well-developed in this area and should continue in the IT/OT context whenever data protection is the protected function of concern. The world, however, changed this year after a series of highly publicized OT cyber incidents. Our present circumstances now require a clear division of IT/OT cybersecurity leadership responsibility that puts Operations Leads in the driver’s seat when the availability of operations is the driving security objective.
From Convergence to Continuum
Over the years, organizations that depend on SCADA and other industrial control systems (ICS) to support their operations have connected those devices to corporate networks and, by extension, the Internet in order to enable remote, web-based access and control.
Cybersecurity concern about this “convergence” – specifically, cyber threat actors accessing SCADA and other ICS to shut down pipelines, threaten the food supply, and injure or kill people – was typically considered an important but largely theoretical worry.
Now that the harsh realities of Colonial Pipeline, JBS, and Oldsmar have set in, however, the need to shift the language from “IT/OT convergence” to the “IT/OT continuum” – and to assign cybersecurity leadership responsibility accordingly – is more necessary than ever.
The threat actors behind these recent events were not primarily focused on each impacted organization’s data. On the contrary, they targeted their critical operations. This distinction is important. Operations Leads – not CISOs – are the experts when it comes to the full range of bodily injury, property damage, and other consequences that could arise from a successful cyber-attack on an organization’s operations. Moreover, Operations Leads – not CISOs – are the experts on how the component parts that support those operations should work together.
Likewise, Operations Leads – not CISOs – know best which of those parts to prioritize for cybersecurity protection in order to avert operational disaster. Bottom line, when operations are the protected function of concern, it’s Operations Leads who should lead IT/OT cybersecurity and direct the supportive efforts of their CISO colleagues.
While well-intentioned, the phrase “IT/OT convergence” leaves a big question mark about who should take charge of IT/OT cybersecurity efforts in any given situation. This problem is compounded by the fact that organizations very often use the same computer hardware and software not only to support their data processing and storage but also to control every aspect of their physical operations.
A functions-based division of IT/OT cybersecurity responsibility would create clear lines of authority that will make possible more coordinated and impactful collaboration by CISOs and Operations Leads. It likewise will enable – for the first time – a truly “equipment agnostic” approach that will further minimize the present tug of war between these key cybersecurity partners. For these reasons, it’s time for organizations to move beyond convergence to the “IT/OT continuum.”
© 2021 Mission Critical Global Alliance (MCGA). All Rights Reserved.