Two missing ingredients in implementing and maintaining OT security transformation programs
1. Strategic business alignment and risk-based decisions
One common trap that organizations must be careful not to fall into, when implementing OT security programs, is to focus on short-term gains or to consider technical gaps from assessment reports as checklists to be “ticked off”. There is still not enough strategic alignment from OT security to understand what businesses really need nor a real risk-based approach to security implementation and operations.
One reason for this is that the information technology (IT)/OT security governance and target operating model topics are often treated with reluctance. Meanwhile, they remain a critical element to help make the security, OT and IT operating model changes stick to the future organization.
2. IT/OT convergence and service-orientation in OT
Another pitfall in OT security efforts is the limited ability to successfully integrate IT and OT functions. The main cause for this is the historical differences in how IT and OT technologies were managed and maintained. The increased integration between IT and OT technologies allows for a new service-oriented approach to how infrastructure and security services are designed, transitioned and provisioned to OT asset owners and engineers.
Extending current enterprise IT services to OT areas may not always be feasible or viable, especially when OT configuration management database (CMDB) is often not developed or regularly updated. However, the OT service management model seems to have the most success when IT and OT teams join forces to enable their businesses to operate in a more modern and digital way.
Steps for success
Organizations seeking to successfully implement OT security programs must ensure they:
- Implement a target OT security governance model with organizational structures, policies and procedures early during the program
- Closely involve all parties in the organization from across security, OT as well as IT, during the period where the target operating models are defined
- Continuously extend IT service management functions towards OT areas, enabling more integration, convergence as well as standardization of infrastructure and security services
- Build foundations for future OT service management by implementing OT CMDB and OT asset management processes