Given recent events affecting both the information technology (IT) and operational technology (OT) environments, organizations are increasingly assessing the risks associated with the growing IT/OT convergence.
The IT environment includes cloud computing, on-premises and outsourced Internet applications, and business and technology systems used throughout the organization, such as e-commerce, human resources, and engineering. OT environments include non-industrial and industrial Internet of Things (IoT); industrial control systems (ICS) such as continuous and batch DCS, PLC, and SCADA controllers; and industrial automation systems for discrete manufacturing and robotics, HVAC control, power distribution, and Building management systems such as medical equipment.
As organizations adopt new digital transformation initiatives to transform the way they operate, OT will become ubiquitous, more connected and more integrated with IT. Threat actors, in turn, will adapt to the new environment and bring skills learned from campaigns targeting IT networks. Because OT environments typically have a less protected attack surface, organizations need people with a higher level of cybersecurity competency and focus on adding security controls to security measures already in place in industrial environments.
Include IT and OT standards in your security plan
Safety standards provide a practical way to protect the automation and control systems that make up a company’s crown jewel. Companies should include both IT and OT standards in their overall cybersecurity program, as threats and attacks can come from either direction and harm the business and operational aspects of the enterprise.
If you don’t lock the back door, spending $1 million on a front door security system won’t solve the security problem.
A well-thought-out enterprise-level cybersecurity program integrates widely used IT standards such as ISO 27001 and 2 with OT standards such as ISA/IEC 62443. Often, these standards are considered absolute standards in an either-or situation. But in reality, this is an AND strategy (ISO 27001/2 and IEC 62443).
Many organizations’ IT security policies and procedures are largely based on ISO/IEC 27001/2 and attempt to extend this structure to OT systems. While there are some security benefits to be gained, the truth is that the ISA/IEC 62443 series are standards built specifically to protect OT systems.
ISA/IEC 62443 complements ISO 27001/2 and allows the extension of OT to an organization’s information security management system. ISA/IEC 62443 addresses parts of business operations for which ISO 27000 is not normally applicable, including production areas with safety interlocks and compliance with regulatory language, industrial equipment monitoring, safety systems in hazardous areas, complex analyzers, and special-purpose industrial networks.
Enterprise IT teams within these facilities need to understand and incorporate OT risks, protection plans and response plans into their overall cybersecurity management system. ISA/IEC 62443 is being recognized as the most useful language for bridging the gap between IT and OT in integrated cybersecurity teams.
Organizations that use the ISO 27001/2 series in conjunction with ISA/IEC 62443 can achieve excellent results to protect IT and OT because they combine the best of both standards.
The National Institute of Standards and Technology’s (NIST) Cybersecurity Framework is a highly cited cybersecurity framework in U.S. public policy, containing more than 112 references to the internationally recognized ISA/IEC 62443 family of standards. This series of standards helps organizations assess the risk of their automation and control systems, provides metrics and benchmarks for measuring OT security compliance, and provides guidance for identifying and applying security countermeasures to reduce risk.
Lawmakers are recognizing the value of automation standards that impact the lives of their constituents and enforcing many “best practices.” Recent legislation in New York requires the application of ISA/IEC 62443 to the state’s public infrastructure, including transportation, water and wastewater facilities, utilities, public buildings, hospitals, public health facilities, and selected financial services institutions.
A mentality of shared responsibility is essential
For corporate cybersecurity programs to be successful, IT and OT leaders must share cybersecurity responsibilities. Engineering and procurement companies, integrators, equipment suppliers, maintenance providers and workforce teams are all cybersecurity stakeholders and must understand their unique role in protecting the environment and mitigating risk.
As most cybersecurity veterans know, we cannot completely prevent threat actors from attacking our automation and controls. Our goal is to protect the most valuable intellectual property and assets, slow down adversaries, increase the cost of attacks by adversaries, and detect problems quickly when they arise. Every part of an organization has a role to play, and a comprehensive, enterprise-grade cybersecurity program that integrates IT and OT standards will yield better results.
