IT/OT Convergence and Compliance

IT/OT Convergence and Compliance

Jori VanAntwerp, CEO SynSaber
Jori VanAntwerp
CEO, SynSaber

If you’ve worked in or adjacent to OT, you’ve most likely heard the term IT/OT convergence. While we’re still talking about this today, in reality, most organizations’ convergence took place 10-15 years ago.

Organizations, operational teams, and regulatory agencies are cognizant of the risks associated with the incorporation of “smart” technology, cloud computing, and other new innovations and beginning to introduce new requirements and regulations around these technologies. Juggling the security of OT environments while navigating connections to IT technology or the cloud and meeting new and existing compliance requirements is no small task.

The benefits of connected and cloud technologies are increasing at an exponential rate. The ability to gather and analyze extensive data sets at speed to provide data for security, safety, efficiency, resilience, etc., is helping us to evolve and innovate our current solutions. However, to gain these benefits, there are genuine risks to exposing facets of or entire operational environments that need to be considered.

Your IT/OT Environments Converged — Now What?

Understanding the impact each environment has on the other and how it can be used to your organization’s benefit or detriment is key.

When considering the integration of “shiny” new, connected technology into your industrial environment or updating something that already exists, your team has to keep the security of your environment, devices, and data in mind.

Remote monitoring solutions for centralized offsite access of telemetry and performance data is a common example of using connected technology to access and optimize industrial environments based on OT data.

Examples of converged technology in OT environments can come in many forms, including (but definitely not limited to) :

  • Industrial Internet of Things (IIoT): connected OT devices and sensors for real-time data collection.
  • Smart Meters: measure usage/consumption and communicate with utility companies in near real-time for accurate billing and operational needs and efficiencies.
  • Industry 4.0: often used in advanced manufacturing environments, this includes software such as machine simulation, digital twins, and machine monitoring solutions that require OT and IT data to be combined. In some cases, this data traverses the internet or lives in the cloud.
  • Cloud-based technology and solutions: from remote support & access for industrial devices to security, telemetry, & data for operators and analysts.

Whether you’re actively incorporating new technology in your environment or securing the solutions that are already in place, there are steps you can take to reduce risk and ensure you’re well-prepared for future compliance needs.

Setting Your Environment Up for Success with New Tech + Compliance

The specifics of what you’ll need to do in your environment will change depending on the particular compliance framework that you need to adhere to. The requirements for NERC CIP are very different from CMMC, which are unique from requirements for ISO 27001 – you get the idea.

No matter what framework applies to your environment, there are some best practices and steps to maintain security when integrating connected technology while helping you meet and maintain compliance requirements.

Know what you need to protect

It’s hard to defend the devices and data in your environment if you’re not sure what’s on your network. Visibility into your network and understanding the devices and assets on your OT network and how they work together is the first step in knowing what to do. Keeping an eye on traffic, communications, and other activity across your network can ensure that everything is configured and operating properly. It doesn’t hurt to have an updated asset inventory to reference for compliance documentation and evidence.

Establish consistent access controls and segmentation

There should be access controls in place to limit who has access to critical systems, devices, and applications in your environment. Access should be based on roles, and users should only be able to access the systems and applications they need for their jobs. These permissions should be monitored and verified regularly, removing access as needed.

OT environments should be segmented to limit the potential impact of an incident by keeping it contained within a smaller area. A DMZ (demilitarized zone) should also be established between the OT network and any external connections, whether to the larger enterprise network or the internet. A DMZ allows for dedicated monitoring within that segment to control what communications are allowed in and out of the OT network.

Establish and document your security policies

Keeping accurate and updated documents is critical to ensuring that teams across the organization know how to keep your operational technology up and running. Clear documentation should include all the roles and responsibilities of different teams and stakeholders, along with all the relevant controls and procedures.

Documentation is also the name of the game when it comes to submitting evidence for compliance. Neat and accurate documentation with version histories will support any audit procedures.

Conduct thorough risk assessments

Once you know what’s in your environment, the next step is to assess the risks that need to be addressed. New technology, connections, and updates need to be evaluated for any associated threats and the potential exposure of vulnerabilities that new IT solutions could bring to the devices in your environment.

Industrial machines and devices typically have much longer lifespans, as they’re purpose-built for specific operational purposes. Some of these devices may be too old to patch or upgrade to new versions. If a new technology puts these devices at risk, teams need to take additional measures to protect them.

Regular environment testing and monitoring

Testing your environment and connected devices when and where possible can identify any vulnerabilities or gaps that may not have been accounted for.

Ideally, tests should be done prior to deployment or in a sandbox environment so as not to adversely impact or cause cascading effects on operations.

Policies and processes should also be subject to tests, especially those regarding incident response, disaster recovery, business continuity, and more. Any changes to these policies and processes or to the architecture should prompt a review of any policies and processes that might be affected.

Keep communication between IT and OT teams clear and consistent

IT and OT teams should collaborate to create a communication framework and a glossary of common terms. Set clear goals and expectations with each other. Developing this shared understanding will facilitate effective communication and seamless solution integration, ultimately leading to successful collaboration between IT and OT teams. This will help to ensure that solutions are secure, work within both teams’ requirements, and add value.

Maintaining Security and Compliance Amid IT/OT Convergence

IT/OT convergence has already taken place for many organizations, but the introduction of new technologies and innovations is bringing about new challenges and risks that need to be considered.

It’s important for organizations to understand the benefits and risks of any new “shiny objects” including connected and cloud technologies, and to implement strategies to maintain security and meet compliance requirements. This includes knowing what needs to be protected, establishing continuous monitoring and risk assessments, and having a plan in place for incident response and recovery.

As technology continues to evolve and new regulations are introduced, staying informed and proactive will be the key to maintaining security, safety, compliance, and operability.