OT/IT convergence security maturity model
For decades, we’ve watched energy companies attempt to bring off-the-shelf information technology (IT) systems into operations technology (OT) environments. These attempts have had varying degrees of success. While converging OT and IT brings new efficiencies, it also brings new risks. There are many moving parts to convergence, and there are several questions that you must answer, such as, “Are systems, processes, and organizations at the same point in their convergence journey?” and “Are risks still being managed well?”
<p>To help you answer these questions, this post provides an aid in the form of a maturity model focused on the security of OT/IT convergence.</p>
<p>OT environments consist of industrial systems that measure, automate, and control physical machines. Because of this, OT risk management must consider potential risks to environment, health, and safety. Adding common IT components can add to these risks. For example, OT networks were typically highly segmented to reduce exposure to external untrusted networks while IT has a seemingly ever-growing network surface. Because of this growing surface, IT networks have built-in resiliency against cyber threats, though they weren’t originally designed for the operational requirements found in OT. However, you can use the strengths of <a href="https://aws.amazon.com" target="_blank" rel="noopener">Amazon Web Services (AWS)</a> to help meet regulatory requirements and manage risks in both OT and IT.</p>
<p>The merging of OT and IT has begun at most companies and includes the merging of systems, organizations, and policies. These components are often at different points along their journey, making it necessary to identify each one and where it is in the process to determine where additional attention is needed. Another purpose of the OT/IT security convergence model is to help identify those maturity points.</p>
<p>Patterns in this model often reference specific aspects of how much involvement OT teams have in overall IT and cloud strategies. It’s important to understand that OT is no longer an air-gapped system that is hidden away from cyber risks, and so it now shares many of the same risks as IT. This understanding enables and improves your preparedness for a safe and secure industrial digital transformation using AWS to accelerate your convergence journey.</p>
<h2>Getting started with secure OT/IT convergence</h2>
<p>The first step in a secure OT/IT convergence is to ask questions. The answers to these questions lead to establishing maturity patterns. For example, the answer might indicate a quick win for convergence, or it might demonstrate a more optimized maturity level. In this section, we review the questions you should ask about your organization:</p>
<ol>
<li>When was the last time your organization conducted an OT/IT cybersecurity risk assessment using a common framework (such as ISA/IEC 62443) and used it to inform system design? <p>When taking advantage of IT technologies in OT environments, it’s important to conduct a cybersecurity risk assessment to fully understand and proactively manage risks. For risk assessments, companies with maturing OT/IT convergence display common patterns. Some patterns to be aware of are:</p>
<ul>
<li>The frequency of risk assessments is driven by risk measures and data</li>
<li>IT technologies are successfully being adopted into OT environments</li>
<li>Specific cybersecurity risk assessments are conducted in OT</li>
<li>Risk assessments are conducted at the start of Industrial Internet of Things (IIoT) projects</li>
<li>Risk assessments inform system designs</li>
<li>Proactively managing risks, gaps, and vulnerabilities between OT and IT</li>
<li>Up-to-date threat modeling capabilities for both OT and IT</li>
</ul> <p>For more information, see:</p>
</li>
<li>What is the extent and maturity of IIoT enabled digital transformation in your organization? <p>There are several good indicators to determine the maturity of IIoT’s effect on OT/IT convergence in an organization. For example, the number of IIoT implementations with well-defined security controls. Also, the number of IIoT digital use cases developed and realized. Additionally, some maturing IIoT convergence practices are:</p>
<ul>
<li>Simplification and standardization of IIoT security controls</li>
<li>Scaling digital use cases across the shop floor</li>
<li>IIoT being consumed collaboratively or within organizational silos</li>
<li>Integrated IIoT enterprise applications</li>
<li>Identifying connections to external networks and how they are routed</li>
<li>IoT use cases identified and implemented across multiple industrial sites</li>
</ul> <p>For more information, see:</p>
<p> </p></li>
<li>Does your organization maintain an inventory of connected assets and use it to manage risk effectively? <p>A critical aspect of a good security program is having visibility into your entire OT and IIoT system and knowing which systems don’t support open networks and modern security controls. Since you can’t protect what you can’t see, your organization must have comprehensive asset visibility. Highly capable asset management processes typically demonstrate the following considerations:</p>
<ul>
<li>Visibility across your entire OT and IIoT system</li>
<li>Identifies systems not supporting open networks and modern security controls</li>
<li>Vulnerabilities and threats readily map to assets and asset owners</li>
<li>Asset visibility is used to improve cybersecurity posture</li>
<li>An up-to-date and clear understanding of the OT/IIoT network architecture</li>
<li>Defined locations for OT data including asset and configuration data</li>
<li>Automated asset inventory with modern discovery processes in OT</li>
<li>Asset inventory collections that are non-disruptive and do not introduce new vulnerabilities to OT</li>
</ul> <p>For more information, see:</p>
<p> </p></li>
<li>Does your organization have an incident response plan for converged OT and IT environments? <p>Incident response planning is essential for critical infrastructure organizations to minimize the impacts of cyber events. Some considerations are:</p>
<ul>
<li>An incident response plan that aims to minimize the effects of a cyber event</li>
<li>The effect of incidents on an organization’s operations, reputation, and assets</li>
<li>Developed and tested incident response runbooks</li>
<li>A plan identifying potential risks and vulnerabilities</li>
<li>A plan prioritizing and allocating response personnel</li>
<li>Established clear roles and responsibilities</li>
<li>Documented communication procedures, backup, and recovery</li>
<li>Defined incident escalation procedures</li>
<li>Frequency of response plan testing and cyber drills</li>
<li>Incident response collaboration between OT and IT authorities</li>
<li>Relying on individuals versus team processes for incident response</li>
<li>Measuring incident response OT/IT coordination hesitation during drills</li>
<li>An authoritative decision maker across OT and IT for seamless incident response leadership</li>
</ul> <p>For more information, see:</p>
<p> </p></li>
<li>With reference to corporate governance, are OT and IT using separate policies and controls to manage cybersecurity risks or are they using the same policy? <p>The ongoing maturity and adoption of cloud within IT and now within OT creates a more common environment. A comprehensive enterprise and OT security policy will encompass risks across the entirety of the business. This allows for OT risks such as safety to be recognized and addressed within IT. Conversely, this allows for IT risks such as bots and ransomware to be addressed within OT. While policies might converge, mitigation strategies will still differ in many cases. Some considerations are:</p>
<ul>
<li>OT and IT maintaining separate risk policies.</li>
<li>Assuming air-gapped OT systems.</li>
<li>The degree of isolation for process control and safety networks.</li>
<li>Interconnectedness of OT and IT systems and networks.</li>
<li>Security risks that were applicable to either IT or OT might now apply to both.</li>
<li>OT comprehension of risks related to lateral movement.</li>
<li>Singular security control policy that governs both OT and IT.</li>
<li>Different mitigation strategies as appropriate for OT and for IT. For example, the speed of patching is often different between OT and IT by design.</li>
<li>Different risk measures maintained between OT and IT.</li>
<li>A common view of risk to the business.</li>
<li>The use of holistic approaches to manage OT and IT risk.</li>
</ul> <p>For more information, see:</p>
<p> </p></li>
<li>Is there a central cloud center of excellence (CCoE) with equivalent representation from OT and IT? <p>Consolidating resources into centers of excellence has proven an effective way to bring focus to new or transforming enterprises. Many companies have created CCoEs around security within the past two decades to consolidate experts from around the company. Such focused areas are a central point of technical authority and accelerates decision making. Some considerations are:</p>
<ul>
<li>Consolidating resources into centers of excellence.</li>
<li>Security experts consolidated from around the company into a singular organization.</li>
<li>Defining security focus areas based on risk priorities.</li>
<li>Having a central point of security authority.</li>
<li>OT and IT teams operating uniformly.</li>
<li>Well understood and applied incident response decision rights in OT.</li>
</ul> <p>For more information, see:</p>
<p> </p></li>
<li>Is there a clear definition of the business value of converging OT and IT? <p>Security projects face extra scrutiny from multiple parties ranging from shareholders to regulators. Because of this, each project must be tied to business and operational outcomes. The value of securing converged OT and IT technologies is realized by maintaining and improving operations and resilience. Some considerations are:</p>
<ul>
<li>Security projects are tied to appropriate outcomes</li>
<li>The same measures are used to track security program benefits across OT and IT.</li>
<li>OT and IT security budgets merged.</li>
<li>The CISO has visibility to OT security risk data.</li>
<li>OT personnel are invited to cloud strategy meetings.</li>
<li>OT and IT security reporting is through a singular leader such as a CISO.</li>
<li>Engagement of OT personnel in IT security meetings.</li>
</ul> <p>For more information, see:</p>
<p> </p></li>
<li>Does your organization have security monitoring across the full threat surface? <p>With the increasing convergence of OT and IT, the digital threat surface has expanded and organizations must deploy security audit and monitoring mechanisms across OT, IIoT, edge, and cloud environments and collect security logs for analysis using security information and event management (SIEM) tools within a security operations center (SOC). Without full visibility of traffic entering and exiting OT networks, a quickly spreading event between OT and IT might go undetected. Some considerations are:</p>
<ul>
<li>Awareness of the expanding digital attack surface.</li>
<li>Security audit and monitoring mechanisms across OT, IIoT, edge, and cloud environments.</li>
<li>Security logs collected for analysis using SIEM tools within a SOC.</li>
<li>Full visibility and control of traffic entering and exiting OT networks.</li>
<li>Malicious threat actor capabilities for destructive consequences to physical cyber systems.</li>
<li>The downstream impacts resulting in OT networks being shut down due to safety concerns.</li>
<li>The ability to safely operate and monitor OT networks during a security event.</li>
<li>Benefits of a unified SOC.</li>
<li>Coordinated threat detection and immediate sharing of indicators enabled.</li>
<li>Access to teams that can map potential attack paths and origins.</li>
</ul> <p>For more information, see:</p>
<p> </p></li>
<li>Does your IT team fully comprehend the differences in priority between OT and IT with regard to availability, integrity, and confidentiality? <p>Downtime equals lost revenue. While this is true in IT as well, it is less direct than it is in OT and can often be overcome with a variety of redundancy strategies. While the OT formula for data and systems is availability, integrity, then confidentiality, it also focuses on safety and reliability. To develop a holistic picture of corporate security risks, you must understand that systems in OT have been and will continue to be built with availability as the key component. Some considerations are:</p>
<ul>
<li>Availability is vital in OT. Systems must run in order to produce and manufacture product. Downtime equals lost revenue.</li>
<li>IT redundancy strategies might not directly translate to OT.</li>
<li>OT owners previously relied on air-gapped systems or layers of defenses to achieve confidentiality.</li>
<li>Must have a holistic picture of all corporate security risks.</li>
<li>Security defenses are often designed to wrap around OT zones while restricting the conduits between them.</li>
<li>OT and IT risks are managed collectively.</li>
<li>Implement common security controls between OT and IT.</li>
</ul> <p>For more information, see:</p>
<p> </p></li>
<li>Are your OT support teams engaged with cloud strategy? <p>Given the historical nature of the separation of IT and OT, organizations might still operate in silos. An indication of converging maturity is how well those teams are working across divisions or have even removed silos altogether. OT systems are part of larger safety and risk management programs within industrial systems from which many IT systems have typically remained separated. As the National Institute of Standards and Technology states, “To properly address security in an industrial control system (ICS), it is essential for a cross-functional cybersecurity team to share their varied domain knowledge and experience to evaluate and mitigate risk to the ICS.” [NIST 800-82r2, Pg. 3]. Some considerations are:</p>
<ul>
<li>OT experts should be directly involved in security and cloud strategy.</li>
<li>OT systems are part of larger safety and risk management programs.</li>
<li>Make sure that communications between OT and IT aren’t limited or strained.</li>
<li>OT and IT personnel should interact regularly.</li>
<li>OT personnel should not only be informed of cloud strategies, but should be active participants.</li>
</ul> <p>For more information, see:</p>
<p> </p></li>
<li>How much of your cloud security across OT and IT is managed manually and how much is automated? <p>Security automation means addressing threats automatically by providing predefined response and remediation actions based on compliance standards or best practices. Automation can resolve common security findings to improve your posture within AWS. It also allows you to quickly respond to threat events. Some considerations are:</p>
<ul>
<li>Cyber responses are predefined and are real-time.</li>
<li>Playbooks exist and include OT scenarios.</li>
<li>Automated remediations are routine practice.</li>
<li>Foundational security is automated.</li>
<li>Audit trails are enabled with notifications for automated actions.</li>
<li>OT events are aggregated, prioritized, and consumed into orchestration tools.</li>
<li>Cloud security postures for OT and IT are understood and documented.</li>
</ul> <p>For more information, see:</p>
<p> </p></li>
<li>To what degree are your OT and IT networks segmented? <p>Network segmentation has been well established as a foundational security practice. NIST SP800-82r3 pg.72 states, “Implementing network segmentation utilizing levels, tiers, or zones allows organizations to control access to sensitive information and components while also considering operational performance and safety.”</p> <p>Minimizing network access to OT systems reduces the available threat surface. Typically, firewalls are used as control points between different segments. Several models exist showing separation of OT and IT networks and maintaining boundary zones between the two. As stated in section 5.2.3.1 “A good practice for network architectures is to characterize, segment, and isolate IT and OT devices.” (NIST SP800-82r3).</p> <p>AWS provides multiple ways to segment and firewall network boundaries depending upon requirements and customer needs. Some considerations are:</p>
<ul>
<li>Existence of a perimeter network between OT and IT.</li>
<li>Level of audit and inspection of perimeter network traffic.</li>
<li>Amount of direct connectivity between OT and IT.</li>
<li>Segmentation is regularly tested for threat surface vulnerabilities.</li>
<li>Use of cloud-native tools to manage networks.</li>
<li>Identification and use of high-risk ports.</li>
<li>OT and IT personnel are collaborative network boundary decision makers.</li>
<li>Network boundary changes include OT risk management methodologies.</li>
<li>Defense in depth measures are evident.</li>
<li>Network flow log data analysis.</li>
</ul> <p>For more information, see:</p>
</li>
</ol>
<p>The following table describes typical patterns seen at each maturity level.</p>
<table width="100%">
<tbody>
<tr>
<td width="5%"></td>
<td width="19%"></td>
<td width="19%"><strong>Phase 1: Quick wins</strong></td>
<td width="19%"><strong>Phase 2: Foundational</strong></td>
<td width="19%"><strong>Phase 3: Efficient</strong></td>
<td width="19%"><strong>Phase 4: Optimized</strong></td>
</tr>
<tr>
<td width="5%">1</td>
<td width="19%">When was the last time your organization conducted an OT/IT cybersecurity risk assessment using a common framework (such as ISA/IEC 62443) and used it to inform system design?</td>
<td width="19%">A basic risk assessment performed to identify risks, gaps, and vulnerabilities</td>
<td width="19%">Organization has manual threat modeling capabilities and maintains an up-to-date threat model</td>
<td width="19%">Organization has automated threat modeling capabilities using the latest tools</td>
<td width="19%">Organization maintains threat modeling automation as code and an agile ability to use the latest tools</td>
</tr>
<tr>
<td width="5%">2</td>
<td width="19%">What is the extent and maturity of IIoT enabled digital transformation in your organization?</td>
<td width="19%">Organization is actively introducing IIoT on proof-of-value projects</td>
<td width="19%">Organization is moving from proof-of-value projects to production pilots</td>
<td width="19%">Organization is actively identifying and prioritizing business opportunities and use cases and using the lessons learned from pilot sites to reduce the time-to-value at other sites</td>
<td width="19%">Organization is scaling the use of IIoT across multiple use cases, sites, and assets and can rapidly iterate new IIoT to meet changing business needs</td>
</tr>
<tr>
<td width="5%">3</td>
<td width="19%">Does your organization maintain an inventory of connected assets and use it to manage risk effectively?</td>
<td width="19%">Manual tracking of connected assets with no automated tools for new asset discovery</td>
<td width="19%">Introduction of asset discovery tools to discover and create an inventory of all connected assets</td>
<td width="19%">Automated tools for asset discovery, inventory management, and frequent reporting</td>
<td width="19%">Near real time asset discovery and consolidated inventory in a configuration management database (CMDB) </td>
</tr>
<tr>
<td width="5%">4</td>
<td width="19%">Does your organization have an incident response plan for converged OT and IT environments?</td>
<td width="19%">Organization has separate incident response plans for OT and IT environments</td>
<td width="19%">Organization has an ICS-specific incident response plan to account for the complexities and operational necessities of responding in operational environments</td>
<td width="19%">Cyber operators are trained to ensure process safety and system reliability when responding to security events in converged OT/IT environments</td>
<td width="19%">Organization has incident response plans and playbooks for converged OT/IT environments</td>
</tr>
<tr>
<td width="5%">5</td>
<td width="19%">With reference to corporate governance, are OT and IT using separate policies and controls to manage cybersecurity risks or are they using the same policy?</td>
<td width="19%">Organization has separate risk policies for OT and IT environments</td>
<td width="19%">Organization has some combined policies across OT and IT but might not account for all OT risks</td>
<td width="19%">Organization accounts for OT risks such as health and safety in a central cyber risk register</td>
<td width="19%">Organization has codified central risk management policy accounting for both OT and IT risks</td>
</tr>
<tr>
<td width="5%">6</td>
<td width="19%">Is there a central cloud center of excellence (CCoE) with equivalent representation from OT and IT?</td>
<td width="19%">Cloud CoE exists with as-needed engagement from OT on special projects</td>
<td width="19%">Some representation from OT in cloud CoE</td>
<td width="19%">Increasing representation from OT in cloud CoE</td>
<td width="19%">Cloud CoE exists with good representation from OT and IT</td>
</tr>
<tr>
<td width="5%">7</td>
<td width="19%">Is there a clear definition of the business value of converging OT and IT?</td>
<td width="19%">No clear definition of business value from convergence projects</td>
<td width="19%">Organization working towards defining key performance indicators (KPIs) for convergence projects</td>
<td width="19%">Organization has identified KPIs and created a baseline of their current as-is state</td>
<td width="19%">Organization is actively measuring KPIs on convergence projects</td>
</tr>
<tr>
<td width="5%">8</td>
<td width="19%">Does your organization have security monitoring across the full threat surface?</td>
<td width="19%">Stand-alone monitoring systems in OT and IT with no integration between systems</td>
<td width="19%">Limited integration between OT and IT monitoring systems and may have separate SOCs</td>
<td width="19%">Increasing integration between OT and IT systems with some holistic SOC activities</td>
<td width="19%">Convergence of OT and IT security monitoring in a unified and global SOC</td>
</tr>
<tr>
<td width="5%">9</td>
<td width="19%">Does your IT team fully comprehend the differences in priority between IT and OT with regard to availability, integrity, and confidentiality?</td>
<td width="19%">IT teams lack an understanding of the priorities in OT as they relate to safety and availability</td>
<td width="19%">IT teams have a high level understanding of the differences between OT and IT risks and OT teams understand cyber threat models</td>
<td width="19%">IT teams being trained on the priorities and differences of OT systems and include them in cyber risk measures</td>
<td width="19%">IT fully understands the differences and increased risk from OT/IT convergence and members work on cross-functional teams as interchangeable experts</td>
</tr>
<tr>
<td width="5%">10</td>
<td width="19%">Are your OT support teams engaged with cloud strategy?</td>
<td width="19%">Separate OT and IT teams with limited collaboration on projects</td>
<td width="19%">Limited OT team engagement in cloud strategy</td>
<td width="19%">Increasing OT team engagement in cloud security</td>
<td width="19%">OT teams actively engaged with cloud strategy</td>
</tr>
<tr>
<td width="5%">11</td>
<td width="19%">How much of your cloud security across OT and IT is managed manually and how much is automated?</td>
<td width="19%">Processes are manual and use non-enterprise grade tools</td>
<td width="19%">Automation exists in pockets within OT</td>
<td width="19%">Security decisions are increasingly automated and iterated upon with guardrails in place</td>
<td width="19%">Manual steps are minimized and security decisions are automated as code</td>
</tr>
<tr>
<td width="5%">12</td>
<td width="19%">To what degree are your OT and IT networks segmented?</td>
<td width="19%">Limited segmentation between OT and IT networks</td>
<td width="19%">Introduction of an industrial perimeter network between OT and IT networks</td>
<td width="19%">Industrial perimeter network exists with some OT network segmentation</td>
<td width="19%">Industrial perimeter network between OT and IT networks with micro-network segmentation within OT and IT networks</td>
</tr>
</tbody>
</table>
<h2>Conclusion</h2>
<p>In this post, you learned how you can use this OT/IT convergence security maturity model to help identify areas for improvement. There were 12 questions and patterns that are examples you can build upon. This model isn’t the end, but a guide for getting started. Successful implementation of OT/IT convergence for industrial digital transformation requires ongoing strategic security management because it’s not just about technology integration. The risks of cyber events that OT/IT convergence exposes must be addressed. Organizations fall into various levels of maturity. These are <em>quick wins</em>, <em>foundational</em>, <em>efficient</em>, and <em>optimized</em>. AWS tools, guidance, and professional services can help accelerate your journey to both technical and organizational maturity.</p>
<h3>Additional reading</h3>
<p> <br>If you have feedback about this post, submit comments in the<strong> Comments</strong> section below. If you have questions about this post, <a href="https://console.aws.amazon.com/support/home" target="_blank" rel="noopener noreferrer">contact AWS Support</a>.</p>
<p><strong>Want more AWS Security news? Follow us on <a title="Twitter" href="https://twitter.com/AWSsecurityinfo" target="_blank" rel="noopener noreferrer">Twitter</a>.</strong></p>
<!-- '"` -->