The Internet of Things (IoT) and Industrial IoT represent a massive new cyber security challenge for many organizations, vastly expanding the potential attack surface because of the greatly increased number of end point devices in use.
Data security and privacy become much more difficult in an environment that encompasses the world’s of both IT and operational technology (OT).
“The maturity and security posture of companies will increasingly depend upon the successful convergence of IT and OT control systems,” Larry Ponemon, chairman and founder of Ponemon Institute, stated recently.
The institute, which is dedicated to advancing responsible information and privacy management practices in business and government, earlier this year conducted a study on safety, security, and privacy in the interconnected environment of IT, OT, and IIoT.
The report, sponsored by TUV Rheinland OpenSky, defines OT as the hardware and software dedicated to detecting or causing changes in physical processes through direct monitoring and/or control of physical devices such as valves, pumps, or sensors. IIoT is the application of IoT systems to the manufacturing industry, and is rapidly enhancing industrial automation.
Digitalization around the areas of traditional manufacturing automation systems will continue to gain momentum, the report said, therefore the convergence of IT and OT will be a strong point of discussion within enterprises. It will bring into focus new platforms and business services that will potentially integrate different areas, from enterprise data at the corporate level, through to field and process-level automation.
These platforms will be highly desirable in the pursuit of digitalization, the study said, as they offer better designs, visualizations, ergonomics, and convenience of accessibility. But the platforms also introduce the challenge of managing privacy while increasing the surface area of exposure to cyber threats, and at the same time maintaining a similar or higher level of safety and reliability around the operations of these interconnected systems.
For its research, Ponemon Institute In October and November 2018 surveyed nearly 600 cyber security practitioners in the United States who understand how cyber security risks could affect functional safety and who are familiar with security and privacy initiatives within their organizations.
A majority of respondents (61%) said convergence of IT and OT is essential or very important to their businesses. Among the reasons
are their organizations’ ability to achieve a more mature security posture will increasingly depend on the convergence of IT and OT control systems (cited by 62%). Nearly half of the respondents (47%)
said their leaders realize convergence is important to having trusted relationships with supply chain partners.
A majority of the respondents (73%) think convergence is not possible without the support of the CIO, and 62% think it’s not possible without the support of C-level executives. Other important factors include strict safeguards to protect the sharing and use of data critical to operations (65%), a history of strong silos and turf issues (55%), and independent certification of cyber security, functional safety, and data privacy (54%).
Survey respondents were asked to rate their effectiveness in completing specific tasks critical to achieving convergence on a scale of 1 (not effective) to 10 (very effective). According to 69% of respondents, their organizations manage safety programs effectively, while 67% said they are very effective in planning cyber security initiatives to support business priorities, and 66% said their leadership and governance practices are very effective.
Fewer organizations are effective in managing third party risks (42%), compliance with regulations and standards (37%), and managing their privacy programs (31%).
An organization’s resilience and agility are most critical to ensuring a successful convergence process, according to the report. Respondents were asked to rate specific organizational characteristics as to their importance in the convergence management process, and resilience, agility, strong security posture, and knowledgeable or expert staff were rated as characteristics that support a successful convergence process.
While CIO support is considered vital to achieving IT and OT convergence, the CISO is most involved in the convergence process, based on the survey results. These security executives are most likely to direct convergence efforts (cited by 65% of respondents), and the least likely to do so is the chief privacy officer (29%). This explains why few respondents report that their organizations are very effective in managing privacy practices in the convergence process, the study said.
Organizations are managing the convergence process using both in-house and external expertise, with 46% of respondents saying their organizations use a combination of inside and outsourced expertise to manage the convergence process. Only 20% rely on outsourced service providers.
Turf and silo issues are the biggest barrier to convergence, with 56% of respondents saying the inability to overcome turf and silo issues is a challenge. The inability to control security, safety, and privacy initiatives is considered a barrier by 47% of respondents.