In light of recent incidents that impacted both information technology (IT) and operational technology (OT) environments, organizations are increasingly evaluating the risks associated with growing IT/OT convergence.
IT environments include cloud computing, internal and outsourced Internet applications, and business and technical systems used across the organization, such as for e-commerce, human resources, and engineering. OT environments includes both nonindustrial and industrial Internet of Things (IoT); industrial control systems (ICS) such as continuous and batch DCS, PLC, and SCADA controllers; and industrial automation systems for discrete manufacturing and robotics, building management systems such as HVAC control, electrical distribution, and medical devices.
With organizations embracing new digital transformation initiatives to change how they operate, OT will become ubiquitous, more connected, and more converged with IT. In turn, threat actors will adapt to the new environment and bring over the tricks learned from their activities against IT networks. Since OT environments typically have a less protected attack surface, organizations need personnel with a higher level of cybersecurity competency, and to focus on adding security controls to the safety measures that are already present in industrial environments.
Including IT and OT Standards in Security Programs
Security standards present a pragmatic approach for securing automation and control systems that comprise a corporation’s crown jewels. Companies should include both IT and OT standards within their overall cybersecurity program because threats and attacks can come from either direction and damage both the business and operations sides of the enterprise.
Spending $1 million on a security system for your front door does not solve a security problem if you leave the back door unlocked.
A well-thought-out, corporate-level cybersecurity program integrates widely used IT standards, like ISO 27001 and 2, with OT standards, like ISA/IEC 62443. Too often, these standards are discussed as absolutes in an either/or scenario. But in reality, it’s an “and” strategy (ISO 27001/2 AND IEC 62443).
Many organizations have predominantly based their IT security policies and procedures on ISO/IEC 27001/2 and attempted to extend that structure to OT systems. While some security gains are possible, the fact is that the ISA/IEC 62443 series is the standard purpose-built for securing OT systems.
ISA/IEC 62443 complements ISO 27001/2 and allows extending OT to the organization's information security management system. ISA/IEC 62443 addresses the operational parts of the enterprise where ISO 27000 cannot generally be applied, including production areas with safety interlocks and need for adherence to regulatory language, industrial equipment monitoring, safety systems in hazardous areas, sophisticated analyzers, and special-purpose industrial networks.
The enterprise IT teams within these facilities will need to understand and incorporate the OT risks, protection schemes, and response plans into their overall cybersecurity management systems. ISA/IEC 62443 is becoming recognized as the most useful language to bridge the gaps between IT and OT in integrated cybersecurity teams.
Organizations using the ISO 27001/2 series in combination with ISA/IEC 62443 get far superior results securing IT and OT because they blend the best of both standards.
The Cybersecurity Framework from the National Institute of Standards and Technology (NIST), a highly referenced cybersecurity framework in public policy in the US, contains over 112 references to the internationally recognized ISA/IEC 62443 family of standards. This family of standards helps organizations through the process of assessing the risk of their automation and control systems, provides metrics and benchmarks to measure compliance for OT security, and provides guidance for identifying and applying security countermeasures to reduce that risk.
Legislators are recognizing the value of standards for securing automation that affects their constituents’ lives and mandating many of these “best practices.” Recently introduced legislation in New York calls for applying ISA/IEC 62443 to the state’s public infrastructure, including transportation, water and wastewater treatment facilities, public utilities, public buildings, hospitals, public health facilities, and select financial services organizations.
A Shared Responsibility Mindset Is Critical
For a company cybersecurity program to be successful, IT and OT leaders must share responsibility for cybersecurity. Engineering and procurement firms, integrators, equipment vendors, maintenance providers, and staff teams are all cybersecurity stakeholders and must understand their unique roles in securing the environment and mitigating risk.
As most cybersecurity veterans understand, we cannot fully prevent threat actors from attacking our automation and controls. Our goals are to protect the most valuable intellectual property and assets, slow down adversaries, raise the adversaries’ cost to launch attacks, and quickly detect when something has gone wrong. Each part of an organization has a role to play, and a comprehensive, corporate-level cybersecurity program that integrates both IT and OT standards will result in better outcomes.