How cyber risk increases as IT and OT systems come together

Organisations are more digitally enabled and connected than ever before. IDC estimates that worldwide spending on digital transformation (DX) will grow by an average of 16.1 percent per year to reach nearly US$3.9 trillion in 2027.

Digital transformation now extends well beyond the four walls of information technology (IT) departments to physical systems and operational processes. IDC says the two largest global DX use cases  – accounting for 35 percent of all DX spending – are both focused on using technology to improve operational efficiency. The largest area is large-scale operational environments, like manufacturing plant floor operations and engineering functions, while the second largest is focused on digitising back-office support and infrastructure.  

The rapid digitisation of operational technology (OT) environments is largely attributed to improvements in Internet of things (IoT), artificial intelligence (AI) and wireless networking technology, allowing organisations to monitor, track and improve physical systems and processes. This innovation is transforming industries and generating incredible amounts of value; think advanced automation and robotics within manufacturing or smart irrigation systems in agriculture.

As physical processes become more data-driven, there is an escalating need to align OT systems with digital IT strategies. Organisations are finding new and innovative ways of using data to scale faster, drive efficiencies and generate unprecedented value by integrating their OT and IT systems, processes and teams. This is a trend that many have described as the fourth industrial revolution.

IT and OT have traditionally been managed separately, often in different departments on opposite sides of the business – or even the world. Traditionally these OT environments have been air gapped to maintain control and security. That’s quickly changing as these two environments converge to take advantage of operational efficiencies, big data and generative AI.

Effective OT and IT convergence is the key for fully unlocking the benefits of Industry 4.0, but integrating physical systems and billions of IoT devices, many of which are mostly unsecured, with IT environments exposes businesses to a new wave of serious threats.

Telstra, in partnership with research firm Omdia, recently conducted research into the state of IT and OT integration in North Asia to explore the extent of this issue. It found that despite more than half (53 percent) of OT systems projected to be connected to IT systems by 2025 – up from 38 percent today – 88 percent of organisations in North Asia have recently dealt with a security incident that affected OT production environments.

Addressing security-related convergence challenges will prove key for scaling up OT technology deployments and achieving a competitive advantage in many key industries.

Convergence is accelerating, security is lagging

Organisations across North Asia are increasingly recognising IT and OT integration as a priority and are making good strides in connecting systems, tools and processes.

Optimism is high, with 85 percent of firms expecting business benefits from convergence activities, including improvements in innovation, reliability, integrity, and revenue growth. Almost half (48 percent) of executives say that better connecting IT and OT is “very important” to achieving their business outcomes.

Embracing Industry 4.0 and advanced digital technologies were the top reasons for convergence, cited by over half (54 percent) of respondents. That was followed by improving data analytics and decision-making (46 percent) increasing resilience and availability (42 percent) and bolstering cybersecurity (33 percent). 

As systems reach end of life (EOL), more innovative and advanced OT industry solutions become available and new entrants, across industries like manufacturing, use advanced technology to increase competition, it’s pushing organisations to accelerate convergence to stay competitive. However, organisations must overcome barriers associated with attaining skills, managing/incorporating legacy ICS and SCADA systems and cohesively uniting IT (corporate) and OT (production/industrial) teams and processes.

These challenges are contributing to a significant security shortfall. Most firms (56 percent) report basic or developing maturity levels in securing OT, including IoT and Industrial Internet of Things (IIoT).  That’s great news for attackers, who are becoming more sophisticated in accessing unencrypted or unsecured connected IoT systems to access, extract, and exploit commercially sensitive data or traverse across devices into other systems.

The top three IoT or OT-specific cyber threats encountered by organisations include fraud-related attacks like ransomware and extortion threats (64 percent), distributed denial of service (58 percent) and malware such as trojans (58 percent).

Much of this is a direct result of IT and OT systems coming together. Executives report that 74 percent of attacks that affected critical infrastructure operations started in IT. That means traditional methods of air gapping – or physically/logically segregating OT systems from corporate networks to protect them – are no longer sufficient for maintaining security. 

Our research shows 80 percent of organisations have experienced a recent significant increase in security incidents in their Level 3.5 demilitarized zone (DMZ) environment, further illustrating that air gapping doesn’t work.

Developing a robust strategy for improvement

IT and OT integration creates enormous value through numerous benefits for organisations across industries, although the risks of a breach that materially impacts production, operations and revenue are equally high.

Organisations must address security challenges to fully capitalise on the enormous potential of converged technologies, prioritising IT/OT and IoT security across four core areas:

1. Collaborate to bridge the skills divide: business leaders must bring teams across the C-suite, IT/cybersecurity, product (engineering) and IT operations (corporate) teams together to plan the right convergence path, instead of relying solely on IT.
2. Define a strategy for OT/IT security readiness: executives responsible for OT security should work with their team to assess their environment and develop a robust improvement strategy, executing it using an agile and programmatic approach.
3. Unlock value from industry frameworks and OT security tools: security leaders should consider extending cloud-based IT security tools with OT-specific capabilities to span asset discovery, categorisation, monitoring and Security Operations (SecOps).
4. Leverage the right partner: trusted managed security service providers (MSSPs) help organisations develop comprehensive and tailored IT/OT convergence and security strategies, helping bridge the skills gap and overcome budget constraints.

That last step is crucial, as attaining the right skills across OT and IT security is one of the biggest challenges of convergence. Our research shows almost three-quarters (73 percent) of firms will outsource IT and OT security to a third party (either completely or in a mixed arrangement), while just 8 percent plan to go it alone and 19 percent say they’ll rely largely on vendor platforms, systems, and tools.

The stakes for securing interconnected systems are high, but the right support from a trusted MSSP, who understands industry requirements, gives organisations a huge head start, helping them fully capitalise on the significant benefits promised by Industry 4.0. 

For more details, please access the Securing Industry 4.0: The Challenges and Opportunities of IT/OT Convergence research report.