Bridging the gap between OT and IT cybersecurity

How do you assess OT and IT cybersecurity in an integrated way? Certification specialist Adelina-Elena Voicu presents her research.

... > Site Assessment > Bridging the gap between OT and IT cybersecurity

Bridging the gap between IT and OT

OT systems used to be isolated from networks that ran IT systems. IT and OT cybersecurity were treated as separate issues. But the two are becoming more integrated. When assessing the security of these systems, this integration means new challenges. Adelina-Elena Voicu, certification specialist at Bureau Veritas Cybersecurity, researched these challenges in depth. She answers three questions on her research.

Why do we need a combined approach to IT and OT security?

‘Most organizations nowadays have both IT and OT infrastructure. For OT systems, the standard to follow is IEC 62443-2-1. This standard was inspired by the standard for IT systems: ISO 27001. This means these two standards contain similar controls. But one was created specifically for IT and the other specifically for OT.’

Gaps and overlaps

‘If we perform an assessment based on OT controls, we might miss IT controls that might be relevant. At the same time we cannot just use IT controls and extend them to OT environments, because that may lead to conflicts.’

‘So what I researched was: how can we create an integrated IT/OT cybersecurity approach based on these two similar standards? To do this I mapped the gaps and overlapping parts of the two standards, ISO 27001 and the implementation guidance in ISO 27002.’

Adelina-Elena Voicu

Certification specialist

Secura

If there is an emergency at a factory and an operator needs to access the operator screen, a password requirement can become a safety hazard.

Which conflicts can arise if you use an IT control on an OT environment?

‘Let’s look at secure authentication. It’s easy to require that you and I use a password on our laptop. But what happens if we extend that requirement to an operator screen, say in a factory. If there is an emergency and an operator needs to access the screen, having a password may delay the response time. Then a password, the IT security control, becomes a safety hazard. And security is important, but safety always comes first.’

How can you use this research in practice?

‘We are still working on the practical outcome. But imagine you want to do an assessment of your security maturity. For an assessment like this you would use controls of for instance IEC 62443, for your OT environment, or ISO 27001, in case of an IT environment.’

‘But what if your company has both? A full assessment for both environments would require a lot of effort and be costly. But if we can identify the overlaps between the two standards, we could use one assessment to cover both IT and OT. During the assessment we would only have to ask certain questions once. This saves time and money.’

Read more about this research into assessing the security of IT/OT environments in these two Whitepapers.

Download Whitepapers

Combined approach to IT and OT

Mapping the gaps and overlaps between ISO 27001 and IEC 62443

Download

Implementation conflicts

How to avoid implementation conflicts between ISO 27001 and IEC 62443

Download

About the author

Adelina-Elena Voicu works as a junior certification specialist at Bureau Veritas Cybersecurity within the Product Manufacturers market group. She completed a master’s degree in the Information Security and Technology field at the Eindhoven University of Technology. Since graduating she has been working at Bureau Veritas Cybersecurity on projects related to products certification, with a special focus on connected vehicles and industrial products.

Related services

Security Maturity Assessment

What is the current maturity level of your organization, and what can you do to improve it?

OT Risk Assessment

Assess your Operational Technology environment, to identify risks, prioritize countermeasures, and safeguard your assets against increasing cyber threats.

Threat Modeling

Discover potential cyber threats to your system or application with Bureau Veritas Cybersecurity's Threat Modeling service, so you can proactively implement effective security measures.

Contact me

Do you want to learn more about assessing your IT and OT environments? Fill in the contact form and we will contact you within one business day.

First Name

Last Name

Company / Organization

Phone Number

Country

How can we help you?

I give permission to process my data as described in the Privacy Policy and agree to the Terms and Conditions.

I consent to let Bureau Veritas Cybersecurity use this data to provide me with additional information from their services, events or topics that may be of interest to me

Why choose Bureau Veritas Cybersecurity

Bureau Veritas Cybersecurity is your expert partner in cybersecurity. We help organizations identify risks, strengthen defenses and comply with cybersecurity standards and regulations. Our services cover people, processes and technology, ranging from awareness training and social engineering to security advice, compliance and penetration testing.

We operate across IT, OT and IoT environments, supporting both digital systems and connected products. With over 300 cybersecurity professionals worldwide, we combine deep technical expertise with a global presence. Bureau Veritas Cybersecurity is part of the Bureau Veritas Group, a global leader in testing, inspection and certification.