Bridging the gap between OT and IT cybersecurity

How do you assess OT and IT cybersecurity in an integrated way? Certification specialist Adelina-Elena Voicu presents her research.

... > Site Assessment > Bridging the gap between OT and IT cybersecurity

Bridging the gap between IT and OT

OT systems used to be isolated from networks that ran IT systems. IT and OT cybersecurity were treated as separate issues. But the two are becoming more integrated. When assessing the security of these systems, this integration means new challenges. Adelina-Elena Voicu, certification specialist at Secura, researched these challenges in depth. She answers three questions on her research.

Why do we need a combined approach to IT and OT security?

‘Most organizations nowadays have both IT and OT infrastructure. For OT systems, the standard to follow is IEC 62443-2-1. This standard was inspired by the standard for IT systems: ISO 27001. This means these two standards contain similar controls. But one was created specifically for IT and the other specifically for OT.’

Gaps and overlaps

‘If we perform an assessment based on OT controls, we might miss IT controls that might be relevant. At the same time we cannot just use IT controls and extend them to OT environments, because that may lead to conflicts.’

‘So what I researched was: how can we create an integrated IT/OT cybersecurity approach based on these two similar standards? To do this I mapped the gaps and overlapping parts of the two standards, ISO 27001 and the implementation guidance in ISO 27002.’

Adelina small

Adelina-Elena Voicu

Certification specialist

Secura

If there is an emergency at a factory and an operator needs to access the operator screen, a password requirement can become a safety hazard.

Which conflicts can arise if you use an IT control on an OT environment?

‘Let’s look at secure authentication. It’s easy to require that you and I use a password on our laptop. But what happens if we extend that requirement to an operator screen, say in a factory. If there is an emergency and an operator needs to access the screen, having a password may delay the response time. Then a password, the IT security control, becomes a safety hazard. And security is important, but safety always comes first.’

How can you use this research in practice?

‘We are still working on the practical outcome. But imagine you want to do an assessment of your security maturity. For an assessment like this you would use controls of for instance IEC 62443, for your OT environment, or ISO 27001, in case of an IT environment.’

‘But what if your company has both? A full assessment for both environments would require a lot of effort and be costly. But if we can identify the overlaps between the two standards, we could use one assessment to cover both IT and OT. During the assessment we would only have to ask certain questions once. This saves time and money.’

Read more about this research into assessing the security of IT/OT environments in these two Whitepapers.

Download Whitepapers

USP

Combined approach to IT and OT

Mapping the gaps and overlaps between ISO 27001 and IEC 62443

Download
USP

Implementation conflicts

How to avoid implementation conflicts between ISO 27001 and IEC 62443

Download
Highlight-image

About the author

Adelina-Elena Voicu works as a junior certification specialist at Secura within the Product Manufacturers market group. She completed a master’s degree in the Information Security and Technology field at the Eindhoven University of Technology. Since graduating she has been working at Secura on projects related to products certification, with a special focus on connected vehicles and industrial products.

Contact me

Do you want to learn more about assessing your IT and OT environments? Fill in the contact form and we will contact you within one business day.

USP

Why choose Secura | Bureau Veritas

At Secura/Bureau Veritas, we are dedicated to being your trusted partner in cybersecurity. We go beyond quick fixes and isolated services. Our integrated approach makes sure that every aspect of your company or organization is cyber resilient, from your technology to your processes and your people.

Secura is the cybersecurity division of Bureau Veritas, specialized in testing, inspection and certification. Bureau Veritas was founded in 1828, has over 80.000 employees and is active in 140 countries.