IT/OT Convergence and Industrial Cybersecurity Q&A
A recent ISACA webinar on the IT/OT (information technology/operational technology) convergence saw such significant participation and a large volume of questions that the ISACA Now blog has decided to run some of the top IT/OT questions and answers.
The IT/OT convergence is a phrase used to describe the trend that is blurring the line between what had traditionally been well-differentiated classes of IT-based systems.
As noted in my previous IT/OT blog, this trend is well established, but the full implications are still developing in areas such as the management and protection of systems against cyber security threats. The diversity of technologies involved ensures that there is effective collaboration across multiple disciplines.
Key issues covered in the recent webinar include:
How the convergence is reflected in international standards for cybersecurity, such as ISA/IEC 62443
The typical and needed responses from the various stakeholders The importance of consequence estimation for the asset owner The resources available for those creating their cyber security management system An introduction to industrial control systems An overview of trends in IT/OT convergence The importance of consequences in assessing overall risk
ISACA and the International Society of Automation (ISA) have released new guidance on the convergence of IT and OT and the business imperative to improve information security. The free download is available here.
Some of the top IT/OT convergence questions and answers from the webinar include:
Question: What is the most validated model, with case of success ratio, for designing an IT/OT convergence implementation project? I’m looking for a model that has design criteria, constraints, and standards such as ISA99, ISA95 and OT Control process special needs, with mining industry, multiple control systems, multiple networks and a segregation layer in place.
Answer: I am not aware of any particular validated “models” for designing an IT/OT convergence project, but there are several anecdotal examples (case studies) that describe how specific companies have addressed this challenge. The use of the reference models in ISA95 as a basis for establishing scope of application and responsibility for the various parties is a very good start.
In addition, the ISA/IEC 62443-3-2 standard addresses the specific challenge of separating an automation system into zones for the purpose of risk assessment. This standard has not yet been published, but drafts are available from the ISA99 committee.
Question: Would you recommend having IT and OT in a single AD domain with adequate segregation like firewalls?
Answer: My personal opinion that it is better to have a separate AD domain for industrial control systems, with very carefully controlled (or no) trusts between it and the larger business network. Intermediate systems (“jump servers”) can be deployed in a demilitarized zone for the purpose of exchanging data between the control and business systems.
Question: When you are identifying data assets, is it a manual process?
Answer: Unfortunately, this is the case in many situations. There is considerable sensitivity about the use of automatic scanners on control systems, where certain components may be particularly “brittle” and may not react well to a scan. However, newer products are now being developed to automate this process in a safe manner.
Question: What should be an approach for integrating IT/OT and Industrial Internet of Things (IIoT), please? Would it be a mix of ISA/IEC 62443 series and other standards?
Answer: The impact and implications of IIoT on the industrial automation domain is a subject that is currently being examined and discussed widely. I am not aware of any formal standards in this area. The ISA is currently examining the impact of IIoT on their standards portfolio (including 62443) in order to determine the optimum response.