Secure IT-OT Convergence

IT and OT are both very different complex systems. However, significant benefits have driven OT to converge with IT. This results in IT security leaders, OT leaders, and their teams facing challenges with:

• Governing and managing IT and OT security and accountabilities.
• Converging security architecture and controls between IT and OT environments.
• Compliance with regulations and standards.
• Metrics for OT security effectiveness and efficiency.

• IT/OT network segmentation and remote access issues, as most OT incidents indicate that the attackers gained access through the IT network, followed by infiltration into OT networks.
• OT proprietary devices and unsecure protocols use outdated systems which may be insecure by design.
• Different requirements of OT and IT security – i.e. IT (confidentiality, integrity, and availability) vs. OT (safety, reliability, and availability).

Info-Tech’s approach in preparing for IT/OT convergence (i.e. the Plan phase) is coordination and collaboration of IT and OT to:

• Initiate communication to define roles and responsibilities.
• Establish governance and build a cross-functional team.
• Identify convergence components and compliance obligations.
• Assess readiness.

90% of organizations that use OT experienced a security incident. (Fortinet, 2021. Ponemon, 2019.)

86% of OT security-related service engagements lack complete visibility of OT network in 2021 (90% in 2020, 81% in 2019). (Source: “Cybersecurity Year In Review” Dragos, 2022.)

Case Study

INDUSTRY
Utilities

SOURCE
Interview

Horizon Power is the regional power provider in Western Australia and stands out as a leader not only in the innovative delivery of sustainable power, but also in digital transformation. Horizon Power is quite mature in distributed energy resource management; moving away from centralized generation to decentralized, community-led generation, which reflects in its maturity in converging IT and OT.

Horizon Power’s IT/OT convergence journey started over six years ago when advanced metering infrastructure (AMI) was installed across its entire service area – an area covering more than one quarter of the Australian continent.

In these early days of the journey, the focus was on leveraging matured IT approaches such as adoption of cloud services to the OT environment, rather than converging the two. Many years later, Horizon Power has enabled OT data to be more accessible to derive business benefits such as customer usage data using data analytics with the objective of improving the collection and management of the OT data to improve business performance and decision making.

The IT/OT convergence meets legislation such as the Australian Energy Sector Cyber Security Framework (AESCSF), which has impacts on the architectural layer of cybersecurity that support delivery of the site services.

The lessons learned in converging IT and OT from Horizon Power were:

• Start with forming relationships to build trust and overcome any divide between IT and OT.
• Collaborate with IT and OT teams to successfully implement solutions, such as vulnerability management and discovery tools for OT assets.
• Switch the focus from confidentiality and integrity to availability in solutions evaluation
• Develop training and awareness programs for all levels of the organization.
• Actively encourage visible sponsorship across management by providing regular updates and consistent messaging.
• Monitor cybersecurity metrics such as vulnerabilities, mean time to treat vulnerabilities, and intrusion attempts.
• Manage third-party vendors using a platform which not only performs external monitoring but provides third-party vendors with visibility or potential threats in their organization.

• Process convergence
• Software and data convergence
• Network and infrastructure convergence

• OT leader and teams
• IT leader and teams
• Security leader and teams

• Governance and compliance
• Security strategy
• Risk management
• Security policies
• IR, DR, BCP
• Security awareness and training
• Security architecture and controls

Plan

• Initiate communication
• Define roles and responsibilities
• Establish governance and build a cross-functional team
• Identify convergence elements and compliance obligations
• Assess readiness

Governance

Compliance

Enhance

• Update security strategy for IT/OT convergence
• Update risk-management framework for IT/OT convergence
• Update security policies and procedures for IT/OT convergence
• Update incident response, disaster recovery, and business continuity plan for IT/OT convergence

Security strategy

Risk management

Security policies and procedures

IR, DR, and BCP

Monitor &
Optimize

• Implement awareness, induction, and cross-training program
• Design and deploy converging security architecture and controls
• Establish and monitor IT/OT security metrics on effectiveness and efficiency
• Red-team followed by blue-team activity for cross-functional team building

Awareness and cross-training

Architecture and controls

• Mapping business goals to IT/OT security goals
• RACI chart for priorities and accountabilities
• Compliance obligations register
• Readiness checklist

• Security strategy for IT/OT convergence
• Risk management framework
• Security policies & procedures
• IR, DR, BCP

• Security awareness and training
• Security architecture and controls

• Improved flexibility and less divided IT/OT
• Improved compliance

• Increased strategic common goals
• Increased efficiency and versatility

• Enhanced security
• Reduced costs

Info-Tech Insight

OT interfaces with the physical world while IT system concerns more on cyber world. Thus, the two systems have different properties. The challenge is how to create strategic collaboration between IT and OT based on negotiation, and this needs top-down support.

Identifying organization goals is the first step in aligning your secure IT/OT convergence with your organization’s vision.

• Security leaders need to understand the direction the organization is headed in.
• Wise security investments depend on aligning your security initiatives to the organization.
• Secure IT/OT convergence should contribute to your organization’s objectives by supporting operational performance and ensuring brand protection and shareholder value.

Physical Scope and Boundaries

• How many offices and locations does your organization have?
• Which locations/offices will be covered by your information security management system (ISMS)?
• How sensitive is the data residing at each location?
• You may have many physical locations, and it is not necessary to list each one. Rather, list exceptional cases that are specifically in or out of scope.

IT Systems Scope and Boundaries

• There may be hundreds of applications that are run and maintained in your organization. Some of these may be legacy applications. Do you need to secure all your programs or only a select few?
• Is the system owned or outsourced?
• Where are you accountable for security?
• How sensitive is the data that each system handles?

Organizational Scope and Boundaries

• Will your ISMS cover all departments within your organization? For example, do certain departments (e.g. operations) not need any security coverage?
• Do you have the ability to make security decisions for each department?
• Who are the key stakeholders/data owners for each department?

OT Systems Scope and Boundaries

• There may be hundreds of OT systems that are run and maintained in your organization. Do you need to secure all OT or a select subset?
• Is the system owned or outsourced?
• Where are you accountable for safety and security?
• What reliability requirements does each system handle?

• Record your security-related organizational scope, physical location scope, IT systems scope, and OT systems scope in the Scope tab of the Secure IT/OT Convergence Requirements Gathering Tool.
• For each item scoped, give the rationale for including it in the comments column. Careful attention should be paid to any elements that are not in scope.

1. Customize the "work units" to best reflect your operation with applicable stakeholders.
2. Customize the "action“ rows as required.

The roles and responsibilities should be clearly defined. For example, IT network should be responsible for the communication and configuration of all access points and devices from the remote client to the control system DMZ, and controls engineering should be responsible from the control system DMZ to the control system.

• A lot of OT compliance standards are technically focused and do not address governance and management, e.g. IT standards like the NIST Cybersecurity Framework. For example, OT system modeling with Purdue model will help IT teams to understand assets, networking, and controls. This understanding is needed to know the possible security solutions and where these solutions could be embedded to the OT system with respect to safety, reliability, and availability.
• However, deployment of technical solutions or patches to OT system may nullify warranty, so arrangements should be made to manage this with the vendor or manufacturer prior to modification.
• Finally, OT modernizations such as smart grid together with the advent of IIoT where data flow is becoming less hierarchical have encouraged the birth of a hybrid Purdue model, which maintains segmentation with flexibility for communications.

Level 5: Enterprise Network

Level 4: Site Business

Level 3.5: DMZ
Example: Patch Management Server, Application Server, Remote Access Server

Level 3: Site Operations
Example: SCADA Server, Engineering Workstation, Historian

Level 2: Area Supervisory Control
Example: SCADA Client, HMI

Level 1: Basic Control
Example: Batch Controls, Discrete Controls, Continuous Process Controls, Safety Controls, e.g. PLCs, RTUs

Level 0: Process
Example: Sensors, Actuators, Field Devices

Source:
ENISA, 2013
DHS, 2009.

• OT system has compliance obligations with industry regulations and security standards/regulations/guidelines. See the lists given. The lists are not exhaustive.
• OT system owner can use the standards/regulations/guidelines as a benchmark to determine and manage the security level provided by third parties.
• It is important to understand the various frameworks and to adhere to the appropriate compliance obligations, e.g. IEC/ISA 62443 - Security for Industrial Automation and Control Systems Series.

• IEC/ISA 62443 is a comprehensive international series of standards covering security for ICS systems, which recognizes three roles, namely: asset owner, system integrator, and product manufacturer.
• In IEC/ISA 62443, requirements flow from the asset owner to the product manufacturer, while solutions flow in the opposite direction.
• For the asset owner who owns and operates a system, IEC 62443-2 enables defining target security level with reference to a threat level and using the standard as a benchmark to determine the current security level.
• For the system integrator, IEC 62443-3 assists to evaluate the asset owner’s requirements to create a system design. IEC 62443-3 also provides a method for verification that components provided by the product manufacturer are securely developed and support the functionality required.

1. Identify your compliance obligations. Most organizations have compliance obligations that must be adhered to. These can include both mandatory and voluntary obligations. Mandatory obligations include:
   1. Laws
   2. Government regulations
   3. Industry standards
   4. Contractual agreements
   Voluntary obligations include standards that the organization has chosen to follow for best practices and any obligations that are required to maintain certifications. Organizations will have many different compliance obligations. For the purposes of your secure IT/OT convergence, include only those that have OT security requirements.
2. Record your compliance obligations, along with any notes, in your copy of the Secure IT/OT Convergence Requirements Gathering Tool.
3. Refer to the “Compliance DB” tab for lists of standards/regulations/guidelines.

People

• Define roles and responsibilities on interaction based on skill sets and the degree of support and alignment.
• Adopt well-established security governance practices for cross-functional teams.
• Analyze and develop skills required by implementing awareness, induction, and cross-training program.

Process

• Conduct a maturity assessment of key processes and highlight interdependencies.
• Redesign cybersecurity processes for your secure IT/OT convergence program.
• Develop a baseline and periodically review on risks, security policies and procedures, incident response, disaster recovery, and business continuity plan.

Technology

• Conduct a maturity assessment and identify convergence elements and compliance obligations.
• Develop a roadmap and deploy converging security architecture and controls step by step, working with trusted technology partners.
• Monitor security metrics on effectiveness and efficiency and conduct continuous testing by red-team and blue-team activities.

• OT system life cycle is like the IT system life cycle, starting with architectural design and ending with decommissioning.
• Currently, IT only gets involved from installation or maintenance, so they may not fully understand the OT system. Therefore, if OT security is compromised, the same personnel who commissioned the OT system (e.g. engineering, electrical, and maintenance specialists) must be involved. Thus, it is important to have the IT team collaborate with the OT team in each stage of the OT system’s life cycle.
• Finally, it is necessary to have propositional sharing of responsibilities between IT leaders, security leaders, and OT leaders who have broader responsibilities.

• One of issues in IT/OT convergence is that OT systems focus on production, so IT solutions like security patching or updates may deteriorate a machine or take a machine offline and may not be applicable. For example, some facilities run with reliability of 99.999%, which only allows maximum of 5 minutes and 35 seconds or less of downtime per year.
• Managing risks requires an understanding of the assets and threats for IT/OT systems. Having a taxonomy of the assets and the threats cand help.
• Applying normal IT solutions to mitigate security risks may not be applicable in an OT environment, e.g. running an antivirus tool on OT system may remove essential OT operations files. Thus, this approach must be avoided; instead, systems must be rebuilt from golden images.

• Policy is the link between people, process, and technology for any size of organization. Small organizations may think that having formal policies in place is not necessary for their operations, but compliance is applicable to all organizations, and vulnerabilities affect organizations of all sizes as well. Small organizations partnering with clients or other organizations are sometimes viewed as ideal proxies for attackers.
• Updating security policies to align with the OT system so that there is a uniform approach to securing both IT and OT environments has several benefits. For example, enhancing the overall security posture as issues are pre-emptively avoided, being better prepared for auditing and compliance requirements, and improving governance especially when OT governance is weak.
• In updating security policies, it is important to redefine the policy framework to include the OT framework and to prioritize the development of security policies. For example, entities that own or manage US and Canadian electric power grids must comply with North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) standards, specifically CIP-003 for Policy and Governance. This can be achieved by understanding the current state of policies and by right-sizing the policy suite based on a policy hierarchy.

• An issue with IT/OT convergence training and awareness happens when awareness exists, but the personnel are trained only for IT security and are not trained for OT-specific security. For example, some organizations still use generic topics such as not opening email attachments, when the personnel do not even operate using email nor in a web browsing environment. (“Assessing Operational Readiness,” Dragos, 2022)
• Meanwhile, as is the case with IT, OT security training topics are broad, such as OT threat intelligence, OT-specific incident response, and tabletop exercises.
• Hence, it requires the creation of a training program development plan that considers the various audiences and topics and maps them accordingly.
• Moreover, roles are also evolving due to convergence and modernization. These new roles require an integrative skill set. For example, the grid security & ops team might consist of an IT security specialist, SCADA technician/engineer, and OT/IIOT security specialist where OT/IIOT security specialist is a new role. (Grid Modernization: Optimize Opportunities and Minimize Risks,” Info-Tech)
• In conclusion, it is important to approach talent development with an open mind. The ability to learn and flexibility in the face of change are important attributes, and technical skill sets can be improved with certifications and training.

• One of issues in certification is the complexity on relevancy in topics with respect to roles and levels.
• An example solution is the European Union Agency for Cybersecurity (ENISA)’s approach to analyzing existing certifications by orientation, scope, and supporting bodies, grouped into specific certifications, relevant certifications, and safety certifications.

Specific cybersecurity certification of ICS/SCADA
Example: ISA-99/IEC 62443 Cybersecurity Certificate Program, GIAC Global Industrial Cyber Security Professional (GICSP), Certified SCADA Security Architect (CSSA), EC-Council ICS/SCADA Cybersecurity Training Course.

Other relevant certification schemes
Example: Network and Information Security (NIS) Driving License, ISA Certified Automation Professional (CAP), Industrial Security Professional Certification (NCMS-ISP).

Safety Certifications
Example: Board of Certified Safety Professionals (BCSP), European Network of Safety and Health Professional Organisations (ENSHPO).

• IT/OT convergence architecture can be modeled as a layered structure based on security. In this structure, the bottom layer is referred as “OT High-Security Zone” and the topmost layer is “IT Low-Security Zone.” In this model, each layer has its own set of controls configured and acts like an additional layer of security for the zone underneath it.
• The data flows from the “OT High-Security Zone” to the topmost layer, the “IT Low-Security Zone,” and the traffic must be verified to pass to another zone based on the need-to-know principle.
• In the normal control flow within the “OT High-Security Zone” from level 3 to level 0, the traffic must be verified to pass to another level based on the principle of least privilege.
• Remote access (dotted arrow) is allowed under strict access control and change control based on the zero-trust principle with clear segmentation and a point for disconnection between the “OT High-Security Zone” and the “OT Low-Security Zone”
• This model simplifies the security process, as if the lower layers have been compromised, then the compromise can be confined on that layer, and it also prevents lateral movement as access is always verified.

• Requirements for secure IT/OT are derived from mandatory or voluntary compliance, e.g. NERC CIP, NIST SP 800-53.
• Frameworks for secure IT/OT are used to build and implement security, e.g. NIST CSF, AESCSF.
• Maturity of secure IT/OT is used to measure the state of security, e.g. C2M2, CMMC.
• Security metrics have the role of measuring effectiveness and efficiency.

Safety

Business Performance

Technology Performance

Security Culture

• The National Institute of Standards and Technology’s Special Publication 800-82 Rev. 3, Guide to Operational Technology (OT) Security.
• The United States Department of Energy’s Cybersecurity Capability Maturity Model (C2M2) v2.1, Operational Technology Cybersecurity for Energy Systems, 21 Steps to Improve Cyber Security of SCADA Networks.
• The United States Cybersecurity and Infrastructure Security Agency’s Cybersecurity Evaluation Tool (CSET®), Recommended Practices, Cybersecurity Practices for Industrial Control Systems, Convergence CTEPs
• The United States Department of Homeland Security’s Seven Steps to Effectively Defend Industrial Control Systems, Configuring and Managing Remote Access for Industrial Control Systems

• The United States Department of Defense Advanced Cyber Industrial Control System Tactics, Techniques, and Procedures (ACI TTP) for Department of Defense (DoD) Industrial Control Systems (ICS)
• The Australian Cyber Security Centre’s Information Security Manual, Essential Eight, Strategies to Mitigate Cyber Security Incidents, Operational Technology, Protecting Industrial Control Systems, and Industrial Control Systems Remote Access Protocol
• The Australian Energy Market Operator’s AEMO Operations Technology Roadmap, Australian Energy Sector Cyber Security Framework (AESCSF)
• MITRE ATT&CK for Industrial Control Systems

Build an Information Security Strategy

Info-Tech has developed a highly effective approach to building an information security strategy – an approach that has been successfully tested and refined for over seven years with hundreds of organizations.

This unique approach includes tools for ensuring alignment with business objectives, assessing organizational risk and stakeholder expectations, enabling a comprehensive current-state assessment, prioritizing initiatives, and building a security roadmap.

Preparing for Technology Convergence in Manufacturing

Information technology (IT) and operational technology (OT) teams have a long history of misalignment and poor communication.

Stakeholder expectations and technology convergence create the need to leave the past behind and build a culture of collaboration.

Implement a Security Governance and Management Program

Your security governance and management program needs to be aligned with business goals to be effective.

This approach also helps provide a starting point to develop a realistic governance and management program.

This project will guide you through the process of implementing and monitoring a security governance and management program that prioritizes security while keeping costs to a minimum.

Assante, Michael J. and Robert M. Lee. “The Industrial Control System Cyber Kill Chain.” SANS Institute, 2015.

“Certification of Cyber Security Skills of ICS/SCADA Professionals.” European Union Agency for Cybersecurity (ENISA), 2015. Web.

Cooksley, Mark. “The IEC 62443 Series of Standards: A Product Manufacturer‘s Perspective.” YouTube, uploaded by Plainly Explained, 27 Apr. 2021. Accessed 26 Aug. 2022.

“Cyber Security Metrics for the Electric Sector: Volume 3.” Electric Power Research Institute (EPRI), 2017.

“Cybersecurity and Physical Security Convergence.” Cybersecurity and Infrastructure Security Agency (CISA). Accessed 19 May 2022.

“Cybersecurity in Operational Technology: 7 Insights You Need to Know,” Ponemon, 2019. Web.

“Developing an Operational Technology and Information Technology Incident Response Plan.” Public Safety Canada, 2020. Accessed 6 Sep. 2022.

Gilsinn, Jim. “Assessing Operational Technology (OT) Cybersecurity Maturity.” Dragos, 2021. Accessed 02 Sep. 2022.

“Good Practices for Security of Internet of Things.” European Union Agency for Cybersecurity (ENISA), 2018. Web.

Greenfield, David. “Is the Purdue Model Still Relevant?” AutomationWorld. Accessed 1 Sep. 2022

Hemsley, Kevin E., and Dr. Robert E. Fisher. “History of Industrial Control System Cyber Incidents.” US Department of Energy (DOE), 2018. Accessed 29 Aug. 2022.

“ICS Security Related Working Groups, Standards and Initiatives.” European Union Agency for Cybersecurity (ENISA), 2013.

Killcrece, Georgia, et al. “Organizational Models for Computer Security Incident Response Teams (CSIRTs).” Software Engineering Institute, CMU, 2003.

Liebig, Edward. “Security Culture: An OT Survival Story.” Dark Reading, 30 Aug. 2022. Accessed 29 Aug. 2022.

O'Neill, Patrick. “Russia Hacked an American Satellite Company One Hour Before the Ukraine Invasion.” MIT Technology Review, 10 May 2022. Accessed 26 Aug. 2022.

Palmer, Danny. “Your Cybersecurity Staff Are Burned Out – And Many Have Thought About Quitting.” Zdnet, 08 Aug. 2022. Accessed 19 Aug. 2022.

Pathak, Parag. “What Is Threat Management? Common Challenges and Best Practices.” SecurityIntelligence, 23 Jan. 2020. Web.

Raza, Muhammad. “Introduction To IT Metrics & KPIs.” BMC, 5 May 2022. Accessed 12 Sep. 2022.

“Recommended Practice: Developing an Industrial Control Systems Cybersecurity Incident Response Capability.” Department of Homeland Security (DHS), Oct. 2009. Web.

Sharma, Ax. “Sigma Rules Explained: When and How to Use Them to Log Events.” CSO Online, 16 Jun. 2018. Accessed 15 Aug. 2022.

“Significant Cyber Incidents.” Center for Strategic and International Studies (CSIS). Accessed 1 Sep. 2022.

Tom, Steven, et al. “Recommended Practice for Patch Management of Control Systems.” Department of Homeland Security (DHS), 2008. Web.

“2021 ICS/OT Cybersecurity Year In Review.” Dragos, 2022. Accessed 6 Sep. 2022.

“2021 State of Operational Technology and Cybersecurity Report,” Fortinet, 2021. Web.

Zetter, Kim. “Pre-Stuxnet, Post-Stuxnet: Everything Has Changed, Nothing Has Changed.” Black Hat USA, 08 Aug. 2022. Accessed 19 Aug. 2022.

Jeff Campbell has more than 20 years' experience in information security, having worked in both private and government organizations in education, finance, and utilities sectors.

Having focused on developing and implementing information security programs and controls, Jeff is tasked with enabling Horizon Power to capitalize on IoT opportunities while maintaining the core security basics of confidentiality, integrity and availability.

As Horizon Power leads the energy transition and moves to become a digital utility, Jeff ensures the security architecture that supports these services provides safer and more reliable automation infrastructures.

Frank DePaola
Vice President, Chief Information Security Officer (CISO)
Enpro

Kwasi Boakye-Boateng
Cybersecurity Researcher
Canadian Institute for Cybersecurity