Maintaining Compliance Amid IT/OT Convergence

Jori VanAntwerp

CEO and Founder at EmberOT || Web

For over two decades, Jori has enabled industrial and IT organizations to be successful in reducing risk, increasing compliance, and improving their overall security efforts. He has had the pleasure of working with companies such as Gravwell, Dragos, CrowdStrike, FireEye, McAfee, and is now CEO & Founder at EmberOT, a cybersecurity startup focused on making security a reality for critical infrastructure.

If you’ve worked in or adjacent to OT, you’ve most likely heard the term IT/OT convergence. And though the industry still talks about convergence as if it’s a recent development, in reality, most organizations’ convergence took place 10 to 15 years ago.

Organizations, operational teams, and regulatory agencies are all cognizant of the risks associated with incorporating “smart” technology, cloud computing, AI tech, and other new innovations. That’s why new requirements and regulations centered on those technologies have been introduced. Juggling the security of OT environments while simultaneously navigating connections to IT technology or the cloud and maintaining compliance requirements is no small task.

But the benefits of connected and cloud technologies continue to increase at an exponential rate. The ability to gather and analyze extensive data sets at speed to provide data for security, safety, efficiency, and resilience has spurred the evolution and innovation of many security and operational solutions. So it’s well worth the effort to walk the tightrope of IT integration and convergence.

However, to reap the benefits of increased IT/OT convergence, the legitimate risk that inevitably accompanies exposing facets of entire operational environments must also be considered.

Your IT/OT Environments Converged – Now What?

Understanding the impacts each environment can have on others, and how those impacts can be leveraged to benefit your organization or weaponized to its detriment, is key.

When considering the integration of a “shiny” new, connected technology into your industrial environment, your team needs to keep the security of your environment, devices, and data at the forefront of their minds. This is equally true, even when updating an existing tool or component.

One common example of using connected technology to access and optimize industrial environments based on OT data is remote monitoring solutions.

Other examples of converged technology in OT environments come in many different forms, including (but definitely not limited to):

• Industrial Internet of Things (IIoT): connected OT devices and sensors for real-time data collection.
• Smart Meters: used to measure usage/consumption and communicate with utility companies in near real-time for accurate billing and operational needs and efficiencies.
• Industry 4.0: often used in advanced manufacturing environments, this includes software such as machine simulation, digital twins, and machine monitoring solutions that require OT and IT data to be combined. In some cases, this data traverses the internet or lives in the cloud.
• Cloud-based technology and solutions: this can include anything from remote support & access for industrial devices to security, telemetry, & data for operators and analysts.

Whether you’re actively incorporating new technology in your environment or securing the solutions that are already in place, there are steps you can take to reduce risk and ensure you’re well-prepared for future compliance needs.

Setting Your Environment Up for Success with New Tech + Compliance

The specific compliance requirements for any environment will depend on the particular compliance framework it must adhere to. For example, the requirements for NERC CIP are very different from CMMC, which in turn are unique from requirements for ISO 27001… you get the idea.

Still, no matter what framework applies to your environment, there are best practices and steps that can be taken to maintain security while helping you meet and maintain compliance requirements. This is true whenever you are integrating connected technology into your environment.

Know what you need to protect

It’s hard to defend the devices and data in your environment if you’re not even sure what’s on your network. Visibility into your network and understanding the devices and assets on your OT network — and how they work together — is the first step in achieving security and compliance. Consistently monitoring traffic, communications, and other network activity can help ensure all systems are configured and operating properly. And it never hurts to have an updated asset inventory to reference for compliance documentation and evidence.

Establish consistent access controls and segmentation

Have access controls in place to limit who has access to critical systems, devices, and applications in your environment. Access should be based on roles, and users should only be able to access the systems and applications they need for their jobs. These permissions should be monitored and verified regularly, removing access as needed.

Segment OT environments to limit the potential impact of an incident by keeping it contained within a smaller area. A DMZ (demilitarized zone) should also be established between the OT network and any external connections, whether to the larger enterprise network or the internet. A DMZ allows for dedicated monitoring within that segment to control what communications are allowed in and out of the OT network.

Establish and document your security policies

Keeping accurate and updated documents is critical to ensuring that teams across the organization know how to keep your operational technology up and running. Clear documentation should include all the roles and responsibilities of different teams and stakeholders, along with all the relevant controls and procedures.

Documentation is also the name of the game when it comes to submitting evidence for compliance. Neat and accurate documentation, including version histories, will make audits far less painful.

Conduct thorough risk assessments

Once you know what’s in your environment, assess any risks that need to be addressed. New technology, connections, and updates need to be evaluated for any associated threats. New IT solutions may expose devices to new vulnerabilities and should be regularly assessed.

Because industrial machines and devices are purpose-built for highly specific operational purposes, they typically have a much longer lifespan. Some of these devices may be too old to patch or upgrade to new versions. Assess whether any new technologies put these devices at risk, and then implement any necessary additional measures to protect them.

Regular environment testing and monitoring

Testing your environment and connected devices whenever possible can help identify any vulnerabilities or gaps that may have been missed.

Ideally, tests should be done prior to deployment or in a sandbox environment so as not to adversely impact operations, which can have a cascading effect on entire environments.

Policies and processes should also be tested, especially those regarding incident response, disaster recovery, business continuity, and other emergency scenarios. Any changes to these policies and processes, or to their existing architecture, should automatically prompt a review of any related policies and processes that might also be impacted.

Keep communication between IT and OT teams clear and consistent

IT and OT teams should collaborate to create a communication framework and a glossary of common terms. Have each team establish clear goals and expectations with each other. This shared understanding will facilitate seamless solution integration, ultimately leading to successful collaborations between IT and OT teams. This helps ensure that solutions are secure, work within both teams’ requirements, and add value.

Maintaining Security and Compliance Amid IT/OT Convergence

Even though many organizations have already undergone IT/OT convergence the continual introduction of new technologies and innovations means there are always new challenges and risks to consider.

It’s important for organizations to understand both the benefits and the risks of any new “shiny objects” they integrate into their environments. That includes connected and cloud technologies. Any integration will also mean implementing new or revised strategies to maintain security and compliance. At a minimum, this looks like knowing exactly what devices or tools need to be protected, establishing continuous monitoring and risk assessments, and having a plan in place for incident response and recovery.

As technology continues to evolve and new regulations are introduced, staying informed and proactive will be the key to maintaining security, safety, compliance, and operability.

~Jori 🤘🔥