Bridging the gap between OT and IT cybersecurity
How do you assess OT and IT cybersecurity in an integrated way? Certification specialist Adelina-Elena Voicu presents her research.
... > Site Assessment > Bridging the gap between OT and IT cybersecurity
Bridging the gap between IT and OT
OT systems used to be isolated from networks that ran IT systems. IT and OT cybersecurity were treated as separate issues. But the two are becoming more integrated. When assessing the security of these systems, this integration means new challenges. Adelina-Elena Voicu, certification specialist at Secura, researched these challenges in depth. She answers three questions on her research.
Why do we need a combined approach to IT and OT security?
‘Most organizations nowadays have both IT and OT infrastructure. For OT systems, the standard to follow is IEC 62443-2-1. This standard was inspired by the standard for IT systems: ISO 27001. This means these two standards contain similar controls. But one was created specifically for IT and the other specifically for OT.’
Gaps and overlaps
‘If we perform an assessment based on OT controls, we might miss IT controls that might be relevant. At the same time we cannot just use IT controls and extend them to OT environments, because that may lead to conflicts.’
‘So what I researched was: how can we create an integrated IT/OT cybersecurity approach based on these two similar standards? To do this I mapped the gaps and overlapping parts of the two standards, ISO 27001 and the implementation guidance in ISO 27002.’
If there is an emergency at a factory and an operator needs to access the operator screen, a password requirement can become a safety hazard.
Which conflicts can arise if you use an IT control on an OT environment?
‘Let’s look at secure authentication. It’s easy to require that you and I use a password on our laptop. But what happens if we extend that requirement to an operator screen, say in a factory. If there is an emergency and an operator needs to access the screen, having a password may delay the response time. Then a password, the IT security control, becomes a safety hazard. And security is important, but safety always comes first.’
How can you use this research in practice?
‘We are still working on the practical outcome. But imagine you want to do an assessment of your security maturity. For an assessment like this you would use controls of for instance IEC 62443, for your OT environment, or ISO 27001, in case of an IT environment.’
‘But what if your company has both? A full assessment for both environments would require a lot of effort and be costly. But if we can identify the overlaps between the two standards, we could use one assessment to cover both IT and OT. During the assessment we would only have to ask certain questions once. This saves time and money.’
Read more about this research into assessing the security of IT/OT environments in these two Whitepapers.
About the author
Adelina-Elena Voicu works as a junior certification specialist at Secura within the Product Manufacturers market group. She completed a master’s degree in the Information Security and Technology field at the Eindhoven University of Technology. Since graduating she has been working at Secura on projects related to products certification, with a special focus on connected vehicles and industrial products.
Security Maturity Assessment
What is the current maturity level of your organization, and what can you do to improve it?
OT Risk Assessment
Assess your Operational Technology environment, to identify risks, prioritize countermeasures, and safeguard your assets against increasing cyber threats.
Discover potential cyber threats to your system or application with Secura's Threat Modeling service, so you can proactively implement effective security measures.
Do you want to learn more about assessing your IT and OT environments? Fill in the contact form and we will contact you within one business day.
Secura is a leading cybersecurity expert. Our customers range from government and healthcare to finance and industry worldwide. Secura offers technical services, such as vulnerability assessments, penetration testing and red teaming. We also provide certification for IoT and industrial environments, as well as audits, forensic services and awareness training. Our goal is to raise your cyber resilience.
Secura is a Bureau Veritas company. Bureau Veritas (BV) is a publicly listed company specialized in testing, inspection and certification. BV was founded in 1828, has over 80.000 employees and is active in 140 countries. Secura is the cornerstone of the cybersecurity strategy of Bureau Veritas.