Operational technology (OT) or industrial control systems (ICS) are responsible for keeping the power on and water and gas flowing to support essential services for consumers, industry and governments. As technology advances, utilities are introducing Internet connections (IT) to their OT networks to improve operational efficiency. They are also linking their OT systems to their IT systems to leverage the rich data being collected.

This OT-IT convergence is proving to boost performance and streamline ways of working by enabling capabilities such as off-site monitoring and remote maintenance. However, when it comes to cybersecurity, the majority of OT systems were developed in the 80’s and 90’s with little idea they would be part of a connected society, and thus with little thought to security.

Because a cyber threat to IT is now becoming a cyber threat to OT as well, and vice versa, there’s no question that utilities must look at cybersecurity holistically across the two domains. But there are huge differences in how they operate―from cultures, to chains of command, to drivers, focus areas and job descriptions.

In the OT environment, the focus is on high availability, and safety is paramount. Here, the impact of a cyber breach can include outages, physical injury and even loss of life. In the IT environment, which often supports back-office functions, operations are more controlled and managed. The impact of an IT breach tends to be financial or reputation loss, which can be very significant.

A recent study by CGI in the UK, The Cyber-Value Connection has found that a severe cybersecurity breach represents a permanent cost of 1.8% of company value, as measured relative to a control group of peer companies. It may be logical to assume that an OT breach causing a widespread service outage and/or physical harm could have an even greater impact on valuation.

The differences in OT and IT must be recognized to develop sound cybersecurity strategies in a connected world. Attempting to migrate security processes and tools from one side to the other is not a viable approach.

But how can utilities (or other ICS industries like oil and gas or transportation) bring both sides together to ensure a common path to cyber vigilance?

The high level of preparedness required to mitigate both OT and IT threats requires a holistic approach across the dimensions of people, process, technology and governance.

Given the vast differences between OT and IT, utilities may need the expertise of strategic partners who understand both domains to help bridge the divide. The goal is an end-to-end cyber program that starts from the most basic levels (plant floor and field device) and moves up the organization through to the board room. (Read more on improving cyber governance in my colleague Andrew Rogoyski’s blog.)

The following are recommended steps for developing a cybersecurity approach to support OT-IT convergence to achieve greater situational awareness and enterprise-wise visibility into threats and preparedness.

Developing Cybersecurity
GOVERNANCE PEOPLE PROCESS TECHNOLOGY
  • Get the right people involved
  • Determine what is OT and what is IT
  • Develop a culture of vigilance
  • Improve education
  • Recognize the differences between OT and IT security
  • Eliminate points of vulnerability
  • Prepare for the worst case
  • Create redundancy
  • Establish priorities
  • Monitor and test

While OT and IT may be drastically different technology environments, the utilities industry is looking to combine these worlds, which means that vulnerability for attacks is higher, and protection is a first and foremost priority.

CGI works with utilities and other ICS industries to understand and assess the criticality of their OT-IT security environments, identify gaps, determine where best to make investments, and assist with planning, implementation and operations.

Learn more about this topic in our white paper, Convergence Brings Opportunities and Risk.

About this author

CGI’s Cybersecurity Practice

CGI’s Cybersecurity Practice

At CGI, security is part of everything we do. Our end-to-end offerings include consulting and training, integration and implementation, managed services and cyber insurance services. Through our global network of Security Operations Centers (SOCs) with state-of-the-art infrastructure operating 24/7/365, we have a 360-degree view ...