ISACA-ISA's call to action for convergence of IT and operational technology

The convergence of information technology and operational technology is a business imperative to improve information security, according to new guidance from global IT association ISACA and the International Society of Automation (ISA).

The guide, “The Merging of Cyber Security and Operational Technology,” resulted from a joint investigation by ISACA’s Cybersecurity Nexus (CSX) and ISA to explore security issues and opportunities in industrial systems and the industrial internet. The growing number of industrial control cyber breaches has heightened information security on the executive management agenda, according to the guide.

“Complexity is a major impeding factor in any attempt to establish cybersecurity capability,” said Christos Dimitriadis, Ph.D., CISA, CISM, CRISC, ISACA Board chair and group director of information security for INTRALOT. “Taking into account the critical importance of OT and its increasing need in cybersecurity, bringing IT and OT together is a fundamental step in addressing cyber threats, as well as to increase overall performance and decrease expense.”

The guide characterizes IT as “responsible for the systems that collect, transport and process data that provide information to the business,” while OT “generally comprises the systems that handle the monitoring and automation of ICS through supervisory control and data acquisition (SCADA) systems attached to distributed control systems (DCS).”

The lack of alignment between OT and IT creates a climate ripe for attacks on critical infrastructure and SCADA systems that monitor and gather data in real time to remotely control equipment and conditions. Organizations that integrate OT and IT should experience seven benefits, according to ISACA and the ISA:

1. Reduced operating costs through the elimination of redundant processes and resources

2.  Increased control over distributed operations

3.  Improved security through an integrated approach for cybersecurity across both categories

4.  Consistent risk management across technology domains

5.  Improved governance and management of systems

6.  Improved overall plant safety (it cannot be safe if it is not secure)

7. A continuous process of “assess, implement, maintain and repeat.

Those results can be achieved if IT and OT work together as a cross-functional unit, understanding each other’s systems and the value each brings to the organization. The guide offers criteria for full convergence that includes IT and OT systems leveraging common standards, risk and governance approaches, and operating as one business unit with common objectives. This level of coordination requires employees from IT and OT be cross-trained and strong change management processes to be in place.