In recent years, the gap between information technology (IT) and operational technology (OT) has been narrowing at an accelerated pace, leading to the emergence of a new field known as IT/OT convergence. This trend is driven by a number of factors, including the increasing digitization of industrial processes, the rise of the Internet of Things (IoT) to support business efficiencies, and the need for additional data to monitor existing and future business activities.
There are many misconceptions about IT/OT convergence, but at its core, IT/OT convergence refers to the integration of IT systems, which are typically used for business and communication purposes, with OT systems, which are used to monitor and control industrial processes. This convergence allows for a more seamless flow of information between the two worlds, enabling organizations to make better-informed decisions, improve operational efficiency, and enhance the overall safety and security of their operations.
With an increase in reliance on digital systems and physical systems working together, comes an increase in risk to the organization. For example, the cyber attack on Colonial Pipeline in May 2021 demonstrates how even when OT systems are not directly attacked, the very existence of the IT/OT relationship gave way to shutting off the pipeline entirely to avoid hackers traversing to additional company systems. In this instance, ransomware caused operational downtime of critical infrastructure; what is more, the new attack surface created with the convergence of IT/OT can also lead to lack of trust in the data, data loss, and even physical harm.
Securing IT/OT convergence is challenging because it’s not as simple as combining the best practices from both worlds. IT/OT convergence created something new, and new security controls and policies will need to follow. Underpinning any best practice applied to IT/OT systems is first and foremost understanding what is getting protected and its risk relative to the business. An HVAC in an office building has a very different risk profile from that of an HVAC system in a hospital. In one environment, temperature control merely affects the comfortability of the office workers, while the other plays a critical role in the care and safety of the patients.
The good news is securing IT/OT isn’t all only about addition. It’s also about subtraction. With a better understanding of system use and baseline behavior, organizations can better protect against cyber threats and other potential vulnerabilities at the same time as they optimize operations.
As the digitization of industry continues to accelerate, the convergence of IT and OT systems will become increasingly important, providing organizations with the tools and insights they need to remain competitive in today's rapidly changing business environment.