Convergence of IT and OT: How to Reduce Rather Than Multiply Cyber Risk
In the era of rapid digital transformation, businesses are constantly evolving to stay competitive and relevant. One of the most significant shifts we're witnessing is the integration of Information Technology (IT) and Operational Technology (OT), a move that delivers efficiency but also brings new challenges.
Increased cybersecurity risk is the most pressing of those challenges. High profile attacks at MGM, Johnson Controls and Atlassian this month demonstrate the seriousness of these risks. Owners and operators may want to read this guide to 8 questions to ask their vendors to ensure they improve their OT cybersecurity posture now.
This IT-OT convergence is breaking down the walls of traditionally siloed building networks, seamlessly connecting building operational systems to each other, to IT systems, and to the broader internet, ushering in a new age of interconnected infrastructure.
Understanding IT and OT
In the digital realm, Information Technology (IT) primarily revolves around data-centric systems. These systems encompass computing, storage, and network equipment that form the backbone of our digital world. On the flip side, Operational Technology (OT) is deeply rooted in systems that interact directly with the physical environment. This includes industrial control systems, building management systems, and other technologies that control or monitor tangible processes.
Historically, IT and OT have existed as distinct entities, operating in separate silos. This separation wasn't just a matter of convention; it was a necessity. Given the unique demands and objectives of each, they developed their own set of protocols, standards, and operational methodologies.
IT and OT in some ways had competing priorities. IT wanted to maximize individual application functionality, data integrity and security while OT wanted to maximize system-wide uptime and data availability for real-time response. To put it simply, IT had to be indestructible and OT had to be uninterruptible.
The convergence of these two domains was once unthinkable due to their disparate performance needs and the potential risks involved. However, the promise of enhanced efficiency and innovation from combining IT and OT data is driving their integration in today's interconnected world.
Find more details on IT–OT differences on pages 28-32 of NIST’s latest Guide to OT Security.
Risks of Cyberattacks in Today's Landscape
Growing Threat Landscape – The digital age has seen an exponential rise in cyberattacks, with adversaries employing increasingly sophisticated methods to breach defenses. The first half of 2023 has seen a 180% increase in ransomware attacks. Over 40% of cyber attacks exploit OT device vulnerabilities.
Financial Implications – Beyond the immediate financial fallout, a cyberattack can lead to prolonged operational disruptions, resulting in significant revenue loss. The global average cost of a data breach is $4.35 million according to IBM, and over twice that much, $9.4 million, in the U.S.
Reputational Damage – A single breach can erode years of trust, potentially driving away customers and partners.
Regulatory and Compliance Issues – In the wake of an attack, companies may face stringent regulatory penalties, not to mention the legal ramifications of failing to protect customer data. On July 26, 2023, the SEC unveiled new cybersecurity regulations for public companies, real estate trusts (REITs), and private real estate owners operating as vendors to public tenants. The rules require rapid reporting of cyber incidents, ongoing threat monitoring, and transparent risk management.
Amplified Risks with IT and OT Convergence
Expanded Attack Surface – Merging IT and OT environments inadvertently creates more gateways for cyber adversaries, amplifying the potential attack surface. By joining IT and OT networks the vulnerabilities for one become vulnerabilities for the other, multiplying the attack surface. The Target hack where perpetrators used an entry into the HVAC system to move laterally into the point-of-sale systems to get credit card data is a classic example.
Lack of Visibility – Traditional IT security solutions are designed for IT protocols and often fall short in providing comprehensive visibility into OT systems with legacy and bespoke communication protocols, leaving them vulnerable.
Operational Disruptions – A breach in OT systems can have tangible real-world consequences. Imagine the chaos if a city's utility services were compromised or if manufacturing processes were halted. In the MGM Ransomware attack on September 12, 2023, the attack on an IT system enabled hackers to disable some of MGM's operational systems including the room key systems such that guests could not get into their own rooms.
Legacy OT Systems – Many OT systems in use today were designed decades ago, long before modern cybersecurity threats and best practices emerged. These systems, often lacking built-in security features, become easy targets.
Single Point of Failure – Centralizing identity solutions like Azure AD for both IT and OT might seem efficient, but it's a double-edged sword. A compromise in such a system could grant attackers unprecedented access across the board, as seen in the MGM infiltration through the Okta Single Sign-On platform.
Amplified Role of Secure Access Service Edge (SASE) in Bridging the Gap
SASE, or Secure Access Service Edge, is a contemporary cybersecurity framework designed to address the unique challenges of the modern digital landscape. There are several benefits of SASE for OT.
Unified Security Posture – SASE offers a harmonized security approach, ensuring both IT and OT are shielded under a single protective umbrella.
Real-time Threat Response – With SASE, organizations benefit from real-time monitoring, ensuring immediate response to any potential threats.
Simplified Management – Managing security across diverse IT and OT environments can be daunting. SASE streamlines this, offering a unified, easy-to-manage solution.
Key Takeaways for CIOs
Proactive Approach – In cybersecurity, a proactive stance is worth its weight in gold. Anticipating threats and preparing in advance can make all the difference.
Continuous Monitoring – The digital landscape is ever-evolving, and so are its threats. Continuous monitoring and timely updates are non-negotiable.
Stakeholder Collaboration – True security is achieved when IT and OT teams come together, sharing insights and collaborating for a holistic security strategy.
As Ben Cooper from BGO insightfully mentioned, "Future-proofing properties to deploy technologies quickly and have better control and management over these technologies not only leads to more efficient buildings but also aligns with company goals for ESG and sustainability."
This sentiment underscores the importance of adapting and evolving in the face of the digital age.
Key Action
The convergence of IT and OT is inevitable in our quest for digital excellence. However, with this convergence comes amplified risks. It's imperative for CIOs and technology leaders to recognize these challenges and equip themselves with solutions like SASE to navigate this new terrain confidently.
Don't expose your IT and OT environments to amplified risk. Reach out to us for a consultation or demo of our Secure Edge SASE product. Let's work together to fortify your digital landscape.
This Week’s Sponsor
View is the leader in smart building platforms and smart windows that transform buildings to improve human health and experience, reduce energy consumption and carbon emissions, and generate additional revenue for building owners. View is installed and designed into 49 million square feet and Smart Building Cloud operates in over 650 buildings. Visit smartbuildingcloud.view.com and www.view.com.
Read Next
Making Visitor Management a Welcome Experience If you’re in CRE, you already know the challenges of managing and tracking visitor access at your properties.
Shadow IT: The Hidden Threat to Real Estate Companies In today's rapidly evolving technological landscape, the emergence of Shadow IT poses significant challenges for organizations, particularly in the commercial real estate sector.
How Bridge Investment Group Cut Manual Data Entry and Improved Onsite Productivity In CRE, efficiency isn't just a goal; it's a necessity for survival. Leveraging technology as a means to cutting through operational drag and optimizing employee productivity has become a competitive imperative for success.
Updated Enterprise Architecture Overview for Corporate Real Estate and Facilities: Are We Still Treading Water or Making Progress? Realcomm has released an updated version of its Corporate Real Estate and Facilities Information Management Systems Enterprise Architecture Overview infographic.