The convergence of OT and IT

Securing environments as they become increasingly digitized and connected

Angie Gildea

Angie Gildea

National Sector Leader – Energy, Natural Resources and Chemicals, KPMG in the US

+1 713-319-2295

Oil & gas and other Industrial organizations are increasingly facing cyber threats not only to their information technology (IT) systems, but to their operational technology (OT) environments as well. As OT becomes more connected, digitized, and automated, so the potential for cyber attackers to break in and cause dangerous disruptions or overrides increases with It. Accidents and unemotional exposures have also caused major incidents. That's why there should be an increasing focus on ensuring that OT environments are secure and subject to the same kind of good practice safeguards as in the IT domain.

The convergence of OT and IT means that organizations must bridge the gap between the two environments - people, processes, and systems to build a smarter, more secure network with high visibility to monitor and control both environments.

This brings us to an important point: to what extent is it useful anymore to distinguish OT from IT? As the two domains get closer to each other, a lot of OT is IT. Whether you look at OT or at IT, it's technology that they both come down to. The choice to keep them as separate environments will increasingly diminish. This blending is becoming more visible in some interesting ways, such as the rise across industrial organizations of the Chief Technology Officer (CTO). It is CTOs to whom they are often looking to lead the change, comprising both IT and OT. The Chief Information Security Officer (CISO) remains a key role for security, and as OT security becomes a priority.

8 Key questions

To understand the current state and then implement controls and processes that can make a speedy difference, we recommend asking yourself these eight questions:

1. Have you identified the cyber-related risks to which your control network is exposed and are you actively working to mitigate them?

An OT security risk assessment and cyber maturity assessment can provide you with a high-level view of what needs to be addressed at both the technical and governance levels.

2. Does an up-to-date inventory of your control network exist?

It's vital to know what needs protection within your production environment. Many commercial solutions for automatic asset detection are available which combine discovery and threat-detection capabilities.

3. What is the integration level between OT and the corporate network?

Ransomware commonly spreads through the network It attacks. Segmentation can limit its movement such as from the corporate network into OT and vice versa. Industrial intrusion detection systems (IDS) tools have features that can help with the modeling of a segregated network.

4. How is remote access to the network managed?

Secure remote access is a Vital topic when it comes to maintaining and repair assets from a distance, especially in the (COVID and post-COVID world. Common remote access types include Remote Desktop Protocol (RDP) and virtual private network (VPN). Secure remote access software is now commonly available on the market and should be considered.

5. ls a solid back-up mechanism in place and consistently tested for security?

If OT assets are infiltrated, the only options may be to either pay whatever ransom is being requested (and, increasingly, it is becoming more common for organizations to take out ransomware Insurance) or to restore a backup. 

6. What methods are used to apply security patches?

Patch management is essential - and can be difficult if an asset is in use 2417.

7. What are your current anti-malware solutions?

Early detection is crucial - such as through IDS tools. Detection tools should be connected to a Security Incident and Event Management {SIEM) system which should log multiple sources including firewalls, assets and remote access tools so that it can alert teams to a possible attack.

8. Do you have a zero Trust mindset?

Many organizations consider OT to be a walled garden from IT, and anything behind that wall is trusted. While having its roots in IT, zero Trust can be adapted for OT.

Top-down and bottom-up approaches

The definition of OT can be very broad, and It Is found right across an organization's operations meaning that usually there is no single person with responsibility for all of it. Coordinating efforts to address OT security is essential. This requires a clear governance structure and operating model. A strong mandate from the very top of the business is also a pre-requisite, to drive OT security as a strategic priority. That said, a bottom-up detection and defense approach must proceed almost in parallel, since threat actors won't wait until a governance framework is set. While the governance and operating model is Instrumented, detection technologies (Ideally, integrated into a security operations Cerisano (SOC)) should be Implemented, response playbooks for common scenarios must be defined and basic cyber-hygiene measures should be taken care of.

Mature governance and operating model structures are geared towards delivering sustainable improvements over the longer term, helping also to future proof the organization as new technologies (and threats) emerge. At the same time what we almost always get asked is: “What can I plug in today to make an Immediate difference? What can I do to rapidly deliver OT risk reduction?"

An essential component of securing OT is to have a top-down governance framework setting out roles, responsibilities, and reporting lines, while not deferring a bottom-up detection and defense mechanism implementation. 

There are 3 immediate areas that should be assessed and addressed:
  1. Endpoint protection of OT assets
  2. Perimeter firewalls around OT assets
  3. Network segmentation within OT and between OT/IT

How KPMG can help

KPMG has extensive experience of helping oil & gas and Industrial organizations rapidly reduce the risks in their OT. We can advise on and Implement industry best practices, effective standardization, and available market solutions. Through our wide range of industry relationships and work, we speak both languages - fluent in both OT and IT!

We can help you bridge the gap between the two as well as create engagement at all levels of the organization - from the boardroom to the operational control room. We'd be delighted to talk to you about any aspect of accelerating your OT - keeping it modernized, secure and safe.

We hope that Drilling Down becomes a useful source of ideas for oil and gas professionals around the world.

Please reach out to Angie Gildea with questions or to discuss how KPMG can help your business.