Empowering the Business of Cybersecurity

People, Process, and Technology initiatives should be evenly assessed

What is IT/OT Convergence?

Adopting IT/OT Convergence is an industry term that became more prominent with the Industry 4.0 movement. The introduction of Industrial Internet of Things (IIoT), Big Data, Artificial Intelligence (AI), Cloud Computing, plus other technology disruptors, enterprise goals and objectives became more relevant across IT and OT departments. Convergence is also applied through People, Process, and Technology (PPT). PPT must be well balanced to implement and operate successfully. However, placing too much weight on one element of the PPT framework brings high risk for rework and missed targets.

For context, Information Technology (IT) can be defined as the centralized corporate services and/or support operations for revenue generators. Operational Technology (OT) can be defined as the operational systems required to generate the revenues or offer critical services to the nation.

The convergence of IT and OT is viewed as a benefit to support leadership goals and objectives. This is accomplished through cost savings, leverage existing skilled resources, simplifying environments, centralizing of critical services, and increasing competitiveness in the marketplace. The examples may include the IT environment requiring OT information for business decisions or OT requiring cyber experience from IT to address skill gaps.

Convergence makes business sense so what’s the hold up? Many challenges arise when converging IT and OT environments. Some factors are culture clashes, expectations by leadership, skilled workforce in both environments, and competing priorities. Although each have a unique approach, I will focus on competing priorities.

Cartoon people pushing a large rock Description automatically generated

Competing Priorities when Adopting IT/OT Convergence

Both IT and OT departments have different priorities. Using the CIA triad, IT prioritizes confidentiality first, integrity second, and availability third. A corporate email service interrupted for a couple hours usually does not cause a significant disruption to the department and is tolerated. On the other hand, OT prioritizes the reverse for availability first, integrity second, and confidentiality third. Restarting a protective relay or remote terminal unit may have severe consequences due to unplanned outages, lost visibility with system operators, or breached service level agreements with external partners and stakeholders.

Trading goods between trusted parters

When these two departments start to converge, usually there is a lack of understanding the business and operations. Operating OT like IT is risky and same for the reverse. Releasing confidential corporate information holds severe consequences for IT stakeholders but unavailability of production operations could cause millions in revenue loss. This is when culture clashes may occur between operations and corporate departments. Each department may expect the other to operate they way they understand it. Finding a happy medium between the two domains usually results in competing priorities. Understanding the other department’s business is necessary to implement IT/OT Convergence. 

Culture clashes may occur at the department level as well as the team level. Sub-cultures also hold a dramatic impact to the success of cultural changes. Retirements, job protection, safety, and unions are a few examples where sub-cultures may interrupt convergence progress.

One Size Does Not Fit All

Every organization is unique and implementing a standard IT/OT Convergence across every organization is the same as forcing everyone to wear the same shoes. Each must be assessed to understand the barriers and increase the chances of successful convergence using a tailored approach to match the uniqueness. This concept of IT and OT using different operating models and priorities is critical for leadership to understand to help set their expectations and support convergence activities.

It shouldn’t come as a surprise that 100% convergence is very unlikely. Preliminary convergence activities may discover candidate areas to converge that may not be ideal. For instance, an OT process may rely heavily on an outsourced OT vendor skillset or another OT process holds direct impact to a physical asset, like a motor or pump. Consequences of an unplanned change can be fatal when site personnel are working physically on a machine that is controlled by an OT process. These types of critical processes may be addressed with change control processes and appropriate communication plans, but are dependent on the organizational dynamics. In the event convergence does not provide efficiencies or effectiveness, there must be tolerance to consider those areas critical to the department and not forced to change.

Centralizing risk management is one of many services to support IT/OT Convergence

Incorporating a centralized risk management framework across both environments will help raise awareness within the cross-functional teams. Operational risks may also arise from the awareness as new cyber events or changes occur. Centralized services like risk management can soften the silos and facilitate cultural change. Monitoring cyber security risks as a cross-functional team demonstrates a significant example where IT provides cyber security expertise and OT provides the operational impact expertise. Together, these usually translate into supporting enterprise goals and objectives.

Additionally, analysis of the capabilities against business objectives also provides value for convergence. What area is IT strong where OT is weak and vice versa? Can OT capitalize on any opportunities IT is targeting? What threats to the business objectives can the other department help mitigate? What critical systems and processes require dedicated resources? What operations are 24/7 and possess the right skills and responsibilities? By understanding the strengths and weaknesses of each department, gaps and capabilities are understood and actionable. Each organization holds different budgets, tolerances, sensitivities, personnel, and culture and must be tailored for IT/OT Convergence.

Conclusion

IT/OT Convergence challenges will be active and ongoing. In some cases, it may be beneficial to completely separate cyber security and risk management functions which may avoid convergence. Other firms may want to reduce costs and increase efficiencies to increase their competitive advantage. Can IT learn the OT environment to support cyber security services? Yes, but IT requires critical thinking and creativity to service both IT and OT. An IT process may hold severe physical consequences if applied to the OT processes. OT would require cultural change to trust IT or implement monitoring controls to help ease trust issues.