Strategic Roadmap for Integrated IT and OT Security
“Integrated IT and OT security and risk management has become instrumental in maintaining competitive advantage. To be successful, security and risk management leaders must have solid strategic roadmaps that will enable business continuity, and improve cyber resilience and decision making.”
According to the report, following are the key findings and recommendations:
- Operational technology (OT) domain culturally has been more safety-aware than risk- and security-aware compared with IT, challenging effective security governance and policy in integrated IT/OT environments.
- OT networks have been unmanaged, from a security and risk perspective, for many years. They are flat, with a mix of OT protocols, unidentified assets, legacy systems and devices with unsecure communications.
- Applying a “one-size-fits-all” security controls methodology across IT and OT, as well as not fully accounting for differing security requirements, lead to decreased security efficacy.
Security and risk management (SRM) leaders who are operating and planning in industrial Internet of Things (IIoT) and converging IT/OT settings should:
- Establish a single governance body, along with an advisory board, by including staff from the IT and the OT domains, to provide oversight and to develop policy for integrated IT/OT security.
- Segment OT networks, and create zones and conduits, by identifying assets and data associated with them, and categorizing assets based on mission criticality.
- Apply layered defense-in-depth (DiD) security to OT by taking into account the key differences between IT and OT, and adjusting security controls against known and evolving threats.”
Gartner 2018 Strategic Roadmap for Integrated IT and OT Security, Saniye Alaybeyi, 3 May 2018