In March 2016, reports emerged that hackers had infiltrated a water utility's control system. Many critical IT and operational technology (OT) functions ran on the same system, which was connected to the internet, exposing the system to attacks. In this case, the hackers were able to change the levels of chemicals being used to treat tap water, threatening the health and safety of citizens.
“ Myth: IT and OT cultures are too incompatible for a common cybersecurity strategy.”
Incidents like these have raised industry concerns. In Gartner’s 2016 IoT Backbone Survey, 35% of IT leaders cited security as a top barrier to Internet of Things (IoT) success.
“It’s time to have a strategic discussion regarding the future of industrial cybersecurity,” says Earl Perkins, research vice president at Gartner.
Cybersecurity is evolving, becoming a single organism. Gartner uses the term "digital security" to describe a common framework for security requirements across IT, OT, the industrial IoT (IIoT) and physical security environments.
Gartner predicts that by the end of 2022, half of asset-centric organizations will have digital security risk strategies in place to address IoT security impacts on IT and OT, up from 10% in 2017.
“Myths regarding what OT and IIoT security should or should not look like must not prevent security and risk managers from doing their job,” Perkins says.
Myth #1: OT and IT systems face the same risks, so OT and IIoT can use IT methodologies to assess risk and threats.
Reality: IT and OT have overlapping, but distinctive, risks. IT security has been devoted for decades to the protection of information: its confidentiality, integrity and availability. OT is founded on the reliability and safety of people and environments. There are some similarities, but each requires targeted processes and systems to address digital security needs within each environment.
Myth #2: IT and OT cultures are too incompatible for a common cybersecurity strategy.
Reality: IT and OT cultures are not incompatible, but they require executive guidance to realize initial alignment. While OT culture does consider security requirements, it is unlikely to have a structured or devoted security practice. IT, on the other hand, devotes significant effort and budget to protecting information.
Myth #3: IT, OT and IIoT cybersecurity should be in a single team reporting to one executive.
Reality: For most organizations, this is neither possible, nor even desirable. While it is desirable to govern and plan major digital security decisions as a single, often-central group, a single blanket answer to this is not reasonable or cost-effective.
Myth #4: OT and IIoT systems are too specialized and unique to use off-the-shelf security solutions.
Reality: Each year, the rate of IT protocols, formats and services increases in OT, which means that OT systems are exposed to many of the same IT security threats. You can use existing IT processes as a starting point, but there will be modifications needed, depending on service-level agreements. For example, an IT system that uses port, vulnerability or virus scanning can cause havoc on some latency-sensitive OT networks.
Myth #5: Cloud-based cybersecurity solutions and automation are not realistic for OT and IIoT systems.
Reality: A common discussion in asset-centric organizations is whether OT systems can use automated cybersecurity responses that can shut off or prevent access, initiate safety shutdowns, notify maintenance personnel and perform other duties.
Most OT organizations have also been reluctant to use cloud-based cybersecurity solutions because of perceptions that they are not "secure enough". Gartner believes this will change in time because many decisions once considered as unthinkable in IT security years ago are relatively common today.