From accidental convergence to intentional security: A guide to secured IT/OT operations

Key takeaways

• Your operational technology (OT) environment is not as isolated as you think.
• Accidental IT/OT convergence, often a result of human error, is a common threat vector that breaks your air gap.
• Up to 20% of a typical OT environment includes IT equipment, rising to 40% with Industry 4.0 initiatives, like industrial IoT devices.
• True OT security requires a 5-step strategy: visibility, analysis, risk reduction, an ecosystem of trust, and a scalable plan.

The illusion of the "air gap"

For decades, the "air gap" has been the gold standard for securing your operational technology (OT) environment. 

OT security professionals have long viewed the strategy of keeping industrial controls (programmable logic controllers (PLCs), distributed control systems (DCSs) and human machine interfaces (HMIs)) sequestered as the ultimate protection against cyber threats.

The problem is that isolation is difficult to maintain and, in most modern plants, creates an illusion of security. 

True isolation requires eliminating countless vulnerabilities and potential attack vectors. 

Yet, the most common breach is simpler: a USB drive, an external laptop, or a new, unvetted computer.

Even when you make a strategic decision not to converge your IT and OT assets, these simple factors lead to accidental IT/OT convergence, which increases your cyber exposure.

• Get the guide to understanding IT/OT risk and how to mitigate it.

What is accidental IT/OT convergence?

Accidental IT/OT convergence is the unplanned connection or interaction between your IT and OT environments. It happens without your knowledge and destroys your air gap.

In an average OT environment, upwards of 20% of your infrastructure already uses IT equipment, which can balloon to 40% if you’ve adopted Internet of Things (IoT) devices. 

And, while you’re worrying about external targeted attacks, a bigger threat lingers. Human error is by far the most common threat vector. It’s how sophisticated attacks like Stuxnet and Dragonfly jumped air gaps to infiltrate critical infrastructure.

• Download the white paper to learn how to secure your industrial and critical infrastructure operations.

Five steps to intentional security in converged IT/OT environments

The convergence of IT and OT, whether planned or unplanned, is a reality for every critical infrastructure and industrial operation. To protect your organization, you must move from a passive "air gap" defense to a proactive strategy. This white paper provides a five-part strategy:

1. Gain total visibility. Modern attacks travel across IT and OT borders. You must de-silo your visibility to see all your IT and OT assets in a single pane of glass. This single view must also show the connections happening between these assets.
2. Use deep situational analysis. While organizations typically refresh IT assets every 12-18 months, OT infrastructures persist for 10-15 years. OT asset inventories are often outdated. You cannot secure assets you do not know exist. You need a detailed, automatically updated inventory of all IT and OT devices.
3. Actively reduce cyber risk. Since cyber attacks target devices, you must actively query and secure at the device level, including using anomaly-based detection for zero-day attacks and prioritizing vulnerability management. Your team must focus on the exploitable vulnerabilities that pose the highest risk for your organization.
4. Create an ecosystem of trust. To close exposures across your IT/OT environment, your cybersecurity tools must work together. An industrial control system (ICS) security solution, like Tenable OT Security, feeds valuable details to your SIEM or next-generation firewall to increase the value from your existing security investments.
5. Scale your security by breaking down silos across cyber tools and teams. Your IT and OT teams have different goals. Generally, IT is "always secured," while OT is "always on.” Failure to find common ground can create a gaping hole in your cyber defense. A unified strategy brings these teams together to reduce cyber risk without compromising production.

• Read the guide to securing IT/OT convergence.

Frequently asked questions about IT/OT convergence
Find answers to common questions about accidental IT/OT convergence.

What is the difference between IT and OT security?

The difference between IT and OT security is that IT security focuses on protecting data, with goals of confidentiality, integrity, and availability (always secured). OT security focuses on protecting physical processes, with goals of productivity, safety, and regulation (always on).

Is an air gap enough for OT security?

No. An IT OT air gap is not enough for OT security. It often creates a false sense of security and is extremely difficult to maintain. Common attack vectors, like bringing a USB drive or external laptop into an OT environment can breach air gaps and create accidental convergence.

What is IT OT convergence?

IT OT convergence is the planned integration of IT systems with OT systems (like PLCs, DCSs, and HMIs) that manage physical processes. While it may improve efficiency in industrial and critical infrastructure systems, it can create new attack vectors and increase your cyber risk.

• Get the complete guide to secured IT/OT operations.