By Stig Valderhaug, CEO of Sicra and Jean-Paul Baaklini, CEO of Bluetree

For most people, cybersecurity is about avoiding viruses, preventing company data from being locked by ransomware or stopping valuable information from being stolen. Going forward, cybersecurity will increasingly be about ensuring access to water, electricity, transport and communication, the fundamental functions of society.

Every single day, nations and criminals attempt to break into the industrial systems that provide basic services in our modern society. To prevent serious incidents, it is important to build a holistic digital defense that embraces both traditional IT, information technology, and OT, operational technology and industrial systems.

IT and OT convergence requires a new security strategy

These two digital worlds have traditionally been separate, but cloud services, remote control and data driven production processes are bringing them closer together. Production lines, energy facilities, health technology and control systems are connected to networks, business systems and cloud services to gain insights, control and efficiency. From a business perspective this is smart, but from a security perspective it is demanding.

The merging of IT and OT exposes organizations to a type of risk that requires a broad range of competence and resources to manage. The attack surface is growing rapidly, and attackers know that OT systems are often poorly protected. At the same time, security authorities report an increase in both the number and complexity of cyberattacks from large and well resourced actors, such as nations and global mafia networks. In addition, security work in organizations is hindered because many still treat IT and OT as two separate worlds:

• IT departments are given responsibility for OT without understanding the operational processes or knowing the systems.

• OT specialists are expected to handle cyber risk without the time or relevant tools.

• The organization lacks overview of the integrations between IT and OT.

The result is that no one has overall responsibility for cybersecurity.

Six steps toward a secure IT and OT platform

It is not easy to strengthen IT and OT security, but with the right framework and expertise it is possible to avoid the most common mistakes. The six recommendations below are a good starting point for building a solid IT and OT security foundation.

1. Hire a CISO (Chief Information Security Officer), a security leader who has overall responsibility for both IT and OT security.

2. Get full overview. Map all OT devices and systems that are connected to the network, including external supplier connections.

3. Introduce network segmentation and zero trust. Traffic between the segments must be controlled and monitored.

4. Implement 24/7 monitoring of both IT and OT.

5. Establish a realistic updating schedule.

6. Train the organization. Attacks against OT are an emergency situation. IT, OT and security environments must train together.

Attacks on OT involve lost production, weakened societal functions and in the worst case harm to people and the environment. The simplest solution would be to disconnect OT systems from networks and IT, but that is not desirable. The benefits of IT and OT convergence are far too great. We cannot slow down development, but we can secure it.

The IT and OT convergence and the merging of IT security and OT security are the foundation for Sicra and Bluetree joining forces. Together we can meet increasingly complex security challenges with a broader service offering and a larger professional environment that now includes around 70 security experts.