The Merging of

Cybersecurity
and Operational
Technology
Abstract
As industrial control systems (ICS) cybersecurity breaches continue to increase,
the consequences arising from inadequate protection of information have become
an important executive management issue. It follows, then, that the convergence
of information technology (IT) and operational technology (OT) has become a
business imperative.
This white paper is a joint investigation by ISACA and the International Society
of Automation (ISA) to explore the critical issue of securing Industrial Systems/
Industrial Internet, given that cybersecurity is more IT-focused than OT. How do
we bring cybersecurity into OT and begin to secure those systems?

www.isaca.org/cyber

Introduction
As industrial control systems (ICS) cybersecurity breaches continue to
increase, the consequences arising from inadequate protection of
information have become an important executive management issue. It
follows, then, that the convergence of information technology (IT) and
operational technology (OT) has become a business imperative.
One example of a recent (and significant) attack was revealed in January
2016, when the Computer Emergency Response Team of Ukraine (CERT-UA)
confirmed global suspicion that the previous months power outage across
several western Ukrainian regions was caused by a malicious attack that left
more than 57 power stations in a blackout state. In excess of 230,000
residents were left without power and heat on a cold December day while
employees at the power substation were helpless to mitigate the action.
Although the power was not out for long, the impact of the attack was felt for
months after the initial problem resolution: The attackers had overwritten
firmware on critical devices at myriad substations, which necessitated
manual handling of remote activities that had previously been automated.
The attack was well staged and sophisticated. Attackers gained control of
operators credentials and locked them out while they shut down controllers.
The attack likely took extensive planning and funding and has not been
positively attributed to a single organization as of the date of this publication.
The Ukraine suspects a nation-state threat actor, but the activity could have
been carried out by one or many threat actors at different points. While the
attack caused major disruption in service to thousands of Ukrainian
residents, it could have been much worse.
According to recent surveys, attacks on ICS are on the rise. Dells 2015
Security Annual Threat Report1 showed that attacks doubled from 2013 to
2014. The ICS-CERT Monitor2 reported that just over half of reported
incidents in the US in 2014 arose from advanced persistent threats (APTs),
while the other 45 percent sourced from cybercriminals, hacktivists and
malicious insiders. Attacks on critical infrastructure and the supervisory
control and data acquisition (SCADA) systems that monitor and gather data
on equipment in real time to remotely control equipment and conditions
may be increasing due to the lack of alignment between OT and IT. IT
and OT have traditionally been separated and managed with different
objectives, protocols, governance models and standards, but increased
usage of IT is forcing enterprises to examine whether convergence could
help to provide a more holistic cybersecurity solution.

1 Dell, 2015 Dell Security Annual Threat Report, USA, 2015, www.sonicwall.com/docs/2015-dell-security-annual-threat-report-white-paper-15657.pdf
2 US Department of Homeland Security, ICS-CERT Monitor, USA, September 2014 February 2015,
https://ics-cert.us-cert.gov/sites/default/files/Monitors/ICS-CERT_Monitor_Sep2014-Feb2015.pdf

2016 ISACA. All Rights Reserved.

THE MERGING OF CYBERSECURITY AND OPERATIONAL TECHNOLOGY

Defining OT and IT
While IT is responsible for the systems that collect,
transport and process data that provide information to the
business, OT generally comprises the systems that handle
the monitoring and automation of ICS through SCADA
systems attached to distributed control systems (DCS),
programmable logic controllers (PLCs), remote terminal
units (RTUs) and field devices. According to Gartner, OT
is hardware and software that detects or causes a change
through the direct monitoring and/or control of physical
devices, processes and events in the enterprise.3 ISACA
defines IT as the hardware, software, communication and
other facilities used to input, store, process, transmit and
output data in whatever form.4
Although threats to critical infrastructure have been well
documented for years, OTincluding systems like
manufacturing execution systems (MES), SCADA and
DCStraditionally was not perceived as a threat to the
infrastructure for a few reasons. Initially, due to the primary
need for real-time monitoring, OT systems could not
depend on protocols such as the Ethernet and were
simple, isolated point-to-point networks. However, over
time, enterprise networks have replaced proprietary
communication tools with protocols such as the Ethernet
and Internet protocol (IP), resulting in the erosion of
isolation. Threat actors are very familiar with open protocols
and the move to those open protocols, so whatever
security by obscurity that existed is lost.

OT systems are frequently interconnected and even in

situations where the OT is separated from the IT networks
with perceived air gaps, there are access points from one
network to the other. Many air-gapped systems rely on the
use of removable media (USB thumb drives, etc.). Stuxnet
and the data exfiltration of US Department of Defense
systems are powerful reminders of the damage these
devices can do.5 Additionally, an organizational policy that
permits remote access to company systems via the Internet
creates the threat that an unauthorized individual may gain
access to the SCADA systems and be able to manipulate
data or, worse, control the system.6 Compounding this is
the fact that one of the most commonly used attack vectors
is spear phishing, in which a seemingly innocuous email
passes through the firewalls/spam filters, ultimately causing
the innocent download of malicious firmware that potentially
affects ICS operation.

3 Gartner, IT Glossary, www.gartner.com/it-glossary/operational-technology-ot/

4 ISACA, Glossary, www.isaca.org/glossary
5 ISACA, Industrial Control Systems: A Primer for the Rest of Us, USA, 2016,
www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/industrial-control-systems-a-primer-for-the-rest-of-us.aspx
6 Donahue, S.; Comprehensive Examinations, Securing Critical Infrastructure, 2009

2016 ISACA. All Rights Reserved.

THE MERGING OF CYBERSECURITY AND OPERATIONAL TECHNOLOGY

OT and IT:
Similarities and
Differences
Historically, OT and IT have been two distinct units.
OT is focused on the automation of machines, processes
and systems within a plant, and IT focuses on the business,
operations and enterprise information systems required
to support the business. Their business objectives are not
the only difference between these two distinct systems
divisions, however. Their employees have different roles,
they frequently report to different executives and they have
different departmental cultures. Their systems are frequently
separated both logically and physically. Most notably, their
approach to and tolerance of risk differ.
When it comes to cybersecurity, IT personnel are concerned
with confidentiality, integrity and availability (CIA), with a strong
focus on confidentiality. OT personnel typically prioritize
availability, data integrity and then confidentiality (AIC). The IT
systems in ICS are internetworked systems that require the
same type of defense-in-depth strategies employed throughout
IT systems in any industry. Identifying vulnerabilities and
appropriately treating risk are paramount to protecting systems
and information assets. However, on the OT side, while
the concerns of AIC are important (with a strong focus on
availability), of primary importance is human safety.
See figure 1.
Some of the categories noted in figure 1 are problematic
when considering joint risk management approaches.
Availability, for example, is a critical category for both types
of systems, but it is especially critical in the OT space
where machines rely on availability for real-time monitoring.
Of course, availability is a critical key performance indicator
in any IT shop as well, but it is possible that when considering
risk in the context of cybersecurity, confidentiality will take
precedence over availability.

FIGURE

Differences between
IT and OT

Attribute

IT

ICS

Confidentiality
(Privacy)

High

Low

Message Integrity

Low-Medium

Very High

System Availability

Low-Medium

Very High

Authentication

Medium-High

High

Non-Repudiation
(Proof of the integrity
and origin of data)

High

Low-Medium

Time Criticality

Days Tolerated

Critical

System Downtime

Tolerated

Not Acceptable

Security Skills/
Awareness

Usually Good

Usually Poor

System Life Cycle

35 years

1525 Years

Interoperability

Not Critical

Critical

Computing
Resources

Unlimited

Very Limited with

Older Processors

Software Changes

Frequent

Rare

Worst Case Impacts

Frequent Loss
of Data

Equipment
Destruction,
Inquiries

SOURCE: Joseph Weiss, What Executives Need to Know About Industrial Control
Systems Cybersecurity, International Society of Automation, 2016. Reprinted with
permission.

2016 ISACA. All Rights Reserved.

THE MERGING OF CYBERSECURITY AND OPERATIONAL TECHNOLOGY

Convergence
While vast differences exist between OT and IT, the
replacement of legacy OT systems with IP-enabled devices
has lessened the isolation these systems once benefitted
from and significantly increased the attack surface. Physical
security of the plant floor and machinery is also frequently
controlled by IP-enabled devices and, as a result, IT security

FIGURE

personnel now need to better understand OT to effectively

secure the IT systems that are related to the OT systems.
The traditional physical separation between IT systems and
OT systems has been replaced by a combined approach,
which may look like the configuration illustrated in figure 2.

Network Zones/Conduits Diagram

SOURCE: ISA99, Industrial Automation and Control Systems Security standard. Reprinted with permission.

2016 ISACA. All Rights Reserved.

THE MERGING OF CYBERSECURITY AND OPERATIONAL TECHNOLOGY

To reduce the potential enterprise risk and adequately protect

both sides of enterprise systems, it is imperative to leverage a
holistic program that brings IT and OT together.
By working together as a cross-functional unit, IT and OT
can begin to understand each others systems and
increase overall resilience and value to the organization.
Full convergence would indicate that IT and OT systems
are leveraging common standards, risk and governance
approaches; they are managed under one business unit
with common objectives; and they work in conjunction
to provide value to the enterprise. This sort of approach
requires employees from IT and OT to be cross-trained.
Both ICS and IT cybersecurity professionals bring valuable
and unique perspectives to the table. IT security is not a
new topic and, in converged enterprises, IT security teams
can be leveraged to improve OT security as well. ICS
professionals are focused on automation and can, therefore,
provide an understanding of the criticality of repeatable
processes, preplanned responses and profound familiarity
with the network they are charged with maintaining.
Both the enterprise as a whole and individual business
units stand to learn a lot from each other by working together
to achieve common goals. Among the many benefits of
the convergence of OT and IT are:

Conclusion
While IT and OT have traditionally been separated by
various physical barriers such as data centers, facilities
and hardware, the integration of IT systems that are
frequently IP-enabled into OT systems has increased the
need to better and more holistically manage both types of
systems. Due to connectivity to enterprise networks, the OT
systems that once enjoyed obscurity are now extraordinarily
vulnerable to cyberattacks. To better protect critical
systems, IT and OT need to work together to harmonize
processes, governance, systems and peoplein fact, a
robust cybersecurity program in an ICS environment must
include people, process and technology. Establishing
cross-functional teams to handle security of both IT and
OT will enable the enterprise to generate a more holistic
approach to cybersecurity in the ICS environment and
reduce enterprise risk. When bringing these two teams
together, it is important to consider the differences between
them and establish strong change management processes.
By harmonizing the two traditionally separate areas, both the
enterprise and the employee will enjoy the benefits of a
high-performing, cross-functional team.

Reduced operating costs through elimination

of redundant processes and resources7
Increased control over distributed operations
Improved security through an integrated approach for
cybersecurity across both categories of technology
Consistent risk management across technology domains
Improved governance and management of systems.
Improved overall plant safety (it cannot be safe if
it is not secure)
A continuous process of assess, implement,
maintain and then repeat

7 Gilbert, B.; Em(Power)ing the Grid: Top Benefits of Converging IT and OT, Wavelengths, 9 August 2015,
http://wavelengths.freewave.com/industrial-iot/empowering-the-grid-top-benefits-of-converging-it-and-ot/

2016 ISACA. All Rights Reserved.

THE MERGING OF CYBERSECURITY AND OPERATIONAL TECHNOLOGY

ISACA
ISACA (isaca.org) helps global
professionals lead, adapt and assure
trust in an evolving digital world by
offering innovative and world-class
knowledge, standards, networking,
credentialing and career development.
Established in 1969, ISACA is a global
nonprofit association of 140,000
professionals in 180 countries. ISACA
also offers the Cybersecurity Nexus
(CSX), a holistic cybersecurity resource,
and COBIT, a business framework to
govern enterprise technology.

Disclaimer
This is an educational resource and is
not inclusive of all information that may
be needed to assure a successful
outcome. Readers should apply their
own professional judgment to their
specific circumstances.

Reservation of Rights
2016 ISACA. All rights reserved.

3701 Algonquin Road, Suite 1010

Rolling Meadows, IL 60008 USA
Phone: +1.847.253.1545
Fax: +1.847.253.1443
Email: info@isaca.org
www.isaca.org

Provide feedback:
www.isaca.org/CSX-merging-OT
Participate in the ISACA
Knowledge Center:
www.isaca.org/knowledge-center
Follow ISACA on Twitter:
www.twitter.com/ISACANews
Join ISACA on LinkedIn:
www.linkd.in/ISACAOfficial
Like ISACA on Facebook:
www.facebook.com/ISACAHQ

2016 ISACA. All Rights Reserved.

THE MERGING OF CYBERSECURITY AND OPERATIONAL TECHNOLOGY

ACKNOWLEDGMENTS
ISACA would like to recognize:

Cybersecurity
Working Group

ISACA Board of Directors

(20152016)

Eddie Schwartz,

Christos K. Dimitriadis

CISA, CISM, CISSP-ISSEP, PMP,

WhiteOps, USA, Chair

Niall Casey,

Johnson & Johnson, USA

Stacey Halota,

Graham Holdings, USA

Tammy Moskites,
CISM, Venafi, USA

Lisa OConnor,
Accenture, USA

Ron Ritchey,

JPMorgan Chase & Co., USA

Marcus Sachs,

Ph.D., CISA, CISM, CRISC,

INTRALOT S.A., Greece, International Chair

Rosemary M. Amato

CISA, CMA, CPA,

Deloitte Touche Tohmatsu Ltd.,
The Netherlands, Director

Garry J. Barnes

CISA, CISM, CGEIT, CRISC, MAICD,

Vital Interacts, Australia, Director

Robert A. Clyde

CISM,
Clyde Consulting LLC, USA, Director

Theresa Grafenstine

North American Electric Reliability Corporation, USA

CISA, CGEIT, CRISC, CPA, CIA, CGAP, CGMA,

US House of Representatives, USA, Director

Greg Witte,

Leonard Ong

CISM, CISSP-ISSEP, PMP,

G2, Inc., USA

Rogerio Winter,

Brazilian Army, Brazil

CISA, CISM, CGEIT, CRISC, CPP, CFE, PMP,

CIPM, CIPT, CISSP ISSMP-ISSAP, CSSLP,
CITBCM, GCIA, GCIH, GSNA, GCFA,
Merck, Singapore, Director

Andre Pitkowski

CGEIT, CRISC, OCTAVE,

CRMA, ISO27kLA, ISO31kLA,
APIT Consultoria de Informatica Ltd.,
Brazil, Vice President

Gregory T. Grocholski
CISA,
SABIC, Saudi Arabia,
Past Chair

Tony Hayes

CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA,

Queensland Government, Australia,
Past Chair

Robert E Stroud
CGEIT, CRISC,
USA, Past Chair

Zubin Chagpar

CISA, CISM, PMP,

Amazon Web Services, UK, Director

Matt Loeb

CAE,
ISACA, USA, Director

Rajaramiyer Venketaramani Raghu

CISA, CRISC,
Versatilist Consulting India, Pvt., Ltd.,
India, Director

Jo Stewart-Rattray

CISA, CISM, CGEIT, CRISC, FACS CP,

BRM Holdich, Australia, Director

Special thanks to the International

Society of Automation

Eddie Schwartz

CISA, CISM, CISSP-ISSEP, PMP,

WhiteOps, USA, Director

2016 ISACA. All Rights Reserved.