Is IT & OT Convergence Dead?

IT/OT Convergence: Is it bringing two worlds together?

IT / OT convergence describes the merging of information technology (IT) and operational technology (OT). In the past, IT and OT departments have been working in silos, but in the past decade, organizations have started to see the benefits of connecting the two departments to take advantages of emerging business tools to collect data and run more efficiently.

But Information Technology (IT) and Operational Technology (OT) convergence is not just about technology, it is also about the people who manage the technology, the workflows, and the governance. Although there are two camps within the cybersecurity community and leaders on whether or not the convergence has happened or if we are in the middle of it, they are faced with number of questions and challenges.

Organizations leaders must figure out how to culturally and organizationally integrate the two, until then, everything else will just be a Band-Aid.

Example questions you should consider:

• Who is responsible for managing the IT/OT convergence initiative?
• Which teams will be responsible for which parts during and after convergence?
• How will the IT/OT convergence impact the organizations overall business strategy and operations?
• How will the knowledge and skills gap between the IT and OT teams be bridged?
• How will the success of the IT/OT convergence be measured, and what metrics will be used to track progress?
• Who decides the use cases to prioritize?
• How will competing requirements be handled?
• Who will develop the necessary governance and management policies?

Organizations likely need to reform most, if not all, areas to ensure a successful digital transformation, and the modernization of OT via IT integration is no exception. Utilities face myriad challenges when converging IT and OT systems.

These challenges include IT/OT training, maintaining security, team support, process convergence, integration with systems, complex external environments, a secure implementation of the Internet of Things (IoT) and a disconnect between C-suite and managers.

Achieving a meaningful level of IT-OT convergence is a tall order. IT-OT convergence is possible only if IT and OT devices can establish two-way communications with one another. Certain dumb devices at the edge may be capable only of one-way communication.

For example, an industrial sensor might produce a stream of outbound data, but not be able to accept inbound management traffic. Similarly, its relatively common for incompatibilities to exist that inhibit communications between an IT environment and OT devices.

Some OT devices do not use standard communications protocols, for example. Scalability is also a barrier to IT-OT convergence. Its common for edge devices to produce vast amounts of data. Without proper planning, its possible that edge devices may collectively overwhelm an IT infrastructure by flooding it with more data than it can handle.

So, is the IT / OT convergence dead?

Convergence isn’t just a blending of technologies, but also teams and processes. The addition of OT brings new stakeholders into the security environment. IT security teams and processes must incorporate the diverse real-time demands of industrial environments.

There are four principal security threats to IT/OT convergence:

1. Lack of collaboration. IT and OT teams have rarely worked together, and this can lead to security oversights that can increase complexity, duplicate efforts, increase operating costs and expose security flaws that attackers can exploit. To ensure security, disparate teams must prioritize, collaborate, and communicate in ways that might not have been necessary or even possible in years past.
2. Legacy OT systems. Where IT systems rarely last more than five years, OT systems can have lifecycles that measure into decades. Such legacy systems typically incorporated few, if any, security features and can’t be upgraded because of proprietary designs or protocols. Every converged system must be evaluated for security, and systems that can’t support security requirements might demand new or updated OT equipment.
3. Insufficient insight. IT routinely relies on asset discovery and configuration to provide a clear and complete picture of the environment being managed. OT systems must be able to share this environment and offer discoverability and remote configuration and management. If an administrator can’t see an OT device, they can’t secure and manage the device. Such gaps can lead to security vulnerabilities.
4. Mission-critical demands. OT production systems are often called upon to function 24/7 year-round and can’t be paused or turned off for upgrades or updates without a significant loss of revenue or physical risk. Imagine turning off medical life support equipment for updates. Organizations might ignore potential security vulnerabilities simply because they can’t afford the cost of downtime needed to remediate risks.

We would not like to call it a convergence as they may never converge, but they are integrating for sure. The anomaly detection on the OT and IT may never converge to become a single solution, but OT has started to send contextual information to IT side, but have they been able to converged? Maybe in the future.