Misperceptions continue to plague attempts to integrate security strategy across IT and OT.
In March 2016, reports emerged that hackers had infiltrated a water utility’s control system. Many critical IT and operational technology (OT) functions ran on the same system, which was connected to the internet, exposing the system to attacks. In this case, the hackers were able to change the levels of chemicals being used to treat tap water, threatening the health and safety of citizens.
Myth: IT and OT cultures are too incompatible for a common cybersecurity strategy.
“It’s time to have a strategic discussion regarding the future of industrial cybersecurity,” says Earl Perkins, research vice president at Gartner.
Cybersecurity is evolving, becoming a single organism. Gartner uses the term “digital security” to describe a common framework for security requirements across IT, OT, the industrial IoT (IIoT) and physical security environments.
“Myths regarding what OT and IIoT security should or should not look like must not prevent security and risk managers from doing their job,” Perkins says.
Myth #1: OT and IT systems face the same risks, so OT and IIoT can use IT methodologies to assess risk and threats.
Reality: IT and OT have overlapping, but distinctive, risks. IT security has been devoted for decades to the protection of information: its confidentiality, integrity and availability. OT is founded on the reliability and safety of people and environments. There are some similarities, but each requires targeted processes and systems to address digital security needs within each environment.
Myth #2: IT and OT cultures are too incompatible for a common cybersecurity strategy.
Reality: IT and OT cultures are not incompatible, but they require executive guidance to realize initial alignment. While OT culture does consider security requirements, it is unlikely to have a structured or devoted security practice. IT, on the other hand, devotes significant effort and budget to protecting information.
Myth #3: IT, OT and IIoT cybersecurity should be in a single team reporting to one executive.
Reality: For most organizations, this is neither possible, nor even desirable. While it is desirable to govern and plan major digital security decisions as a single, often-central group, a single blanket answer to this is not reasonable or cost-effective.
Myth #4: OT and IIoT systems are too specialized and unique to use off-the-shelf security solutions.
Reality: Each year, the rate of IT protocols, formats and services increases in OT, which means that OT systems are exposed to many of the same IT security threats. You can use existing IT processes as a starting point, but there will be modifications needed, depending on service-level agreements. For example, an IT system that uses port, vulnerability or virus scanning can cause havoc on some latency-sensitive OT networks.
Myth #5: Cloud-based cybersecurity solutions and automation are not realistic for OT and IIoT systems.
Reality: A common discussion in asset-centric organizations is whether OT systems can use automated cybersecurity responses that can shut off or prevent access, initiate safety shutdowns, notify maintenance personnel and perform other duties.
Most OT organizations have also been reluctant to use cloud-based cybersecurity solutions because of perceptions that they are not “secure enough”. Gartner believes this will change in time because many decisions once considered as unthinkable in IT security years ago are relatively common today.
Gartner clients can read more in Demystify Seven Cybersecurity Myths of Operational Technology and the Industrial Internet of Things, by Earl Perkins, et al.
Visit the Gartner Digital Risk & Security hub for complimentary research and webinars.
Security Monitoring and Operations Primer for 2017
Security monitoring and operations excellence is a key component of any effective security program. Gartner's 2017 research will guide...Read Free Research
Equip Your IAM Risk-Based Planning With a Comprehensive Risk Model
Assessment of more than 50 large IAM deployments have shown suboptimal IAM solutions with arbitrary priorities, missing time and budget...Start Watching
Learn more at the global Gartner Security & Risk Management Summits.Explore Gartner Events