How to Build a Robust Cybersecurity Architecture for IT/OT Integration

With growing complexities within the OT (Operational Technology) and IT (Information Technology) space, energy, utilities, and industrial manufacturers need to identify system vulnerabilities, bridge the gap between IT/OT teams, and understand that new cybersecurity risks continue to evolve in converged operating environments. 
 
Ahead of our OT Cyber Security Summit, we spoke with event speaker and advisory board member, Reynaldo Gonzalez, Principal Cyber Security Architect at Cummins. With over 18 years of experience facilitating growth and driving successful business outcomes, Reynaldo plays a pivotal role in creating cybersecurity architecture reference standards at Cummins and supporting tools and rationalization efforts to enhance the organization's security posture. Read as he shares detailed insights on the strategies for balancing legacy systems with new security technologies, building a compelling business case for OT cybersecurity investments, and fostering a culture of collaboration to ensure seamless system convergence. 

Download the SPECIAL REPORT: Addressing the Systemic Vulnerabilities of North America’s Industrial Sector to Cyber Attacks
   
Maryam Irfan, Oil & Gas IQ: To start, can you tell us about your role and what the journey has been so far?

Reynaldo Gonzalez: I am part of the cybersecurity architecture team within our global cybersecurity organization, providing consultative and advisory services to all teams across the organization, from the US to Europe and other locations. Our support spans various areas of security review, one of which is security architecture design reviews. When teams develop architecture solutions, they bring them to our team, and we evaluate those solutions from a security design perspective, providing input and guidance on areas of security that are either lacking or need improvement and tie back to our security policies.  
 
Additionally, we develop cybersecurity architecture reference standards, which involve defining and identifying baselines to help structure the direction and roadmap toward a better security posture. We also assess and support efforts around tools and rationalization, identifying gaps and overlaps in capabilities and features, considering the tooling costs, and effectiveness of these security tools or capabilities. We strive to be cognizant of what makes sense from both a cost perspective and capability perspective that meets business needs. 
 
When I joined Cummins in January 2023, we were a relatively new team. Initially, our focus was on security design review and communicating what our team does, who we are, and how we support the organization through continuous outreach. 
 
We have now built a process to facilitate the best way to work with us using our tools, from a scorecard queue system to a review process. We started our outreach with cybersecurity, branched off into IT, and are now expanding into our manufacturing groups to ensure they understand our dynamics and working methods. 
 
Maryam Irfan, Oil & Gas IQ: How have you seen the OT Cyber Security landscape evolve in the last couple of years? 
 
Reynaldo Gonzalez: The landscape is constantly evolving, and keeping up with it is a challenge itself. When transitioning from a traditional environment to an evolving landscape of Industry 4.0, new cyber threats and the sophistication of attackers’ tactics and techniques continues to increase.  
 
Using more IoT connectivity, Artificial Intelligence (AI), digital twins, and AR/VR capabilities introduce complexity to secure the environment. It's not just about what these technologies do, but about providing the right level of protection and postures because there are so many different players in that space. The idea of separation or true isolation of OT is diminishing as networks move towards more converged environments. These new capabilities help improve operations, efficiency, ROI, and productivity. However, this also presents challenges because the integrated environment needs further protection as the attack surface of connected devices expands the landscape. Since the OT environment has traditionally been untouched for so long, it is exposed to potential new compromises and attacks. 
 
New and updated standards and regulations mean greater scrutiny of security policies and cybersecurity measures to consider and implement; especially in markets mandated by government contractual agreements. Cyber incidents are increasingly targeting critical infrastructures, with manufacturing being a prime example. This traditional environment, along with others, remains outdated and exposed to various attack vectors. Hence, standards and regulations are there for guidance or becoming mandatory. 
 
Additionally, there's a shift towards a more proactive approach to security. Organizations across different verticals in the industry, including automotive, are placing greater emphasis on better threat detection, improved incident response, and enhanced incident responsibilities. The implementation of different security technologies allows for detecting and preventing threats, while also incorporating elements like a zero-trust architecture to increase the security posture. Cyber-attacks, particularly ransomware, continue to rise and target this space. Therefore, it is important to keep up and consider the big picture. 

READ: How to Successfully Communicate the Value of Cutting-Edge AI Across the Enterprise
 
Maryam Irfan, Oil & Gas IQ: What are the most significant cybersecurity challenges you encounter in the OT space? 
 
Reynaldo Gonzalez: One that stands out is the legacy environment, as legacy systems in the OT space don't get updated as frequently as those in the IT domain, either due to hardware or software limitations. These systems typically run simple processes, so outdated software is costly to update or replace.  
 
Another challenge is visibility. Without knowing what's in our environment, it's difficult to apply certain types of controls or protect that environment effectively. Lack of visibility means we might not detect malware or cyber attackers' behaviors in the environment. You can’t protect or segment what you don’t know. 
 
Segmentation is another critical area that's often lacking in different parts of the infrastructure. While different organizations and industries may have varying levels of segmentation, it is sometimes inefficient or insufficient. We need to consider how devices communicate, the traffic that flows in and out of the site, and how we separate different types of assets (IT, OT, IoT). Building security policies that limit and reduce exposure is crucial while still enabling the business to function. 
 
Additionally, the lack of personnel to support an OT security strategy or to bridge the gap between OT and IT can be challenging. IT focuses on protecting data and information, while OT prioritizes keeping operations running and because these priorities don't always align, it can lead to potential conflicts. 
 
Lastly, there’s the supply chain. With numerous third-party solutions, supply chain vendors, and capabilities introduced into the environment, poses a challenge to protecting assets on-site. Third parties need to ensure they are doing their part to protect their assets, update their software, and test it for security vulnerabilities with the added consideration of remote access. Without proper secure access controls or secure remote access solutions for third parties or external users, the environment can be exposed to potential external threats. 
 
Taking care of all these areas together is challenging, but they all work together to ensure a secure environment. 
 
Maryam Irfan, Oil & Gas IQ: How can organizations balance between maintaining legacy systems and integrating new security technologies? 
 
Reynaldo Gonzalez: A very important aspect is prioritizing and conducting various types of assessments and information gathering, including site or risk assessments which can involve activities like penetration testing for OT and IoT systems. 
 
Site assessments can also mean identifying processes and understanding how incident response is handled, examining the current state of architecture and existing solutions. How segmentation is managed can be evaluated to assess a level of visibility and asset management. This process helps us better understand current practices and protections to secure different assets. Identifying legacy systems and evaluating how to protect them is a critical part of this process.  
 
Then, when it comes to updating and patching, you can't upgrade everything at once. Organizations need to assess risk and criticality to determine which areas to address first, resulting in a more phased approach. While prioritizing critical and high-risk vulnerabilities is important, do not overlook medium and low-risk vulnerabilities as those also can provide easy entry points for attackers, allowing them to move laterally across the environment. 
 
Moreover, balancing unpatchable legacy systems and new security capabilities through effective segmentation is also crucial. By understanding what’s in the environment, the right actions can be determined. This could involve physical or logical segmentation or other measures to control how devices communicate. 
 
A layered approach is vital, incorporating various security solutions such as threat detection, intrusion detection and prevention, and endpoint solutions tailored for OT environments. These solutions should work together to identify and address threats effectively while balancing the needs of the business. 
 
Another consideration is the integration of solutions. Rather than relying on a single solution that tries to do everything, a cohesive portfolio of technologies that supplement and enrich collected information can provide equal value. While a single dashboard can be helpful, the focus should be on leveraging all the right capabilities effectively of existing solutions. Ensuring legacy systems are protected while integrating them with modern security solutions is essential for maintaining a balanced and secure environment. However, modernizing the legacy environment is equally crucial to keep up with the sophistication of emerging threats and attack capabilities. 

Industry Insights: Top Challenges and Investment Priorities in the Connected Worker Landscape

Maryam Irfan, Oil & Gas IQ: How can stakeholders build a business case for investing in OT cybersecurity, especially when dealing with legacy systems? 
 
Reynaldo Gonzalez: One common method you hear about is risk measurement: how to quantify the risk of various assets. There may be a need to look at a standardized risk model or define the organization's own internal risk framework. Quantifying risk involves understanding the assets, their vulnerabilities, the potential impact, and the likelihood of an incident occurring. These factors help determine the best way to measure risk. While organizations might use different risk methodologies across various parts, ideally, there should be one cohesive approach to ensure consistency across the board. 
 
When determining actions, it is important to understand the risk associated with both taking action versus not taking action, considering financial and reputational impacts as well. One may interpret this risk as cost avoidance. Regulatory compliance is another factor that can influence these decisions. Compliance regulations and mandatory standards for the organization should be integrated into the decision-making process, either as a part of a risk assessment or as a separate consideration. 
 
Another aspect is conducting a tooling cost-benefit analysis, which involves comparing the costs of implementing certain measures or capabilities against the potential threats they address. By identifying gaps and overlaps in technologies and capabilities, security tooling capabilities can be determined if they are effectively used or underutilized and deviating away from siloed tools. If multiple tools perform similar functions, they should be evaluated to determine whether to consolidate or break them apart to ensure efficient use but only if it makes sense for the right use cases. 
 
Lastly, communication with stakeholders and leadership is crucial as they need to be aware of the importance of cybersecurity and be proactive in aligning with cybersecurity efforts to ensure execution and action. It's not enough to acknowledge the importance of cybersecurity; there must be concrete support and buy-in from leadership to implement necessary measures. 
 
Maryam Irfan, Oil & Gas IQ: How can organizations address security vulnerabilities that arise from the convergence of IT and OT systems? What are the most common oversights? 
 
Reynaldo Gonzalez: One step in addressing vulnerabilities is understanding security policies and knowing what they dictate regarding when they should be addressed, patched, and updated, how they apply to different systems, and how they govern device access, user access, authentication, and network structure. 
 
Understanding these policies and ensuring that message is communicated (not just for IT and OT) brings clarity on how to work within the existing environment or new solutions. To help minimize challenges related to convergence, consider cross-training. For instance, having OT personnel shadow IT and vice versa helps each side understand the other's daily operations, fosters new insights, and builds relationships and trust. Building that trust is vital because IT needs to protect data, and OT needs to keep operations running. While both support the same company mission, their objectives are often misaligned due to different priorities.  
 
Common oversights include assuming that legacy protocols are secure. OT personnel might assume their protocols are safe without understanding the security implications. This can be dangerous, as unprotected or unencrypted commands can be exploited by attackers to disrupt operations. There’s a common misconception that some protocols are secure, or that some information exchanged is not necessary for encryption, but it can be the right opportunity for the attacker when left unchallenged. 
 
Another oversight is physical security. While logical and technological security is important, physical security—from external building access to internal access within the environment—must not be neglected. We must also consider the security of our supply chain and vendors. Integrating cybersecurity measures late in the process from physical security, whether already in place or lacking, can make it difficult to implement the right security measures. 
 
Maryam Irfan, Oil & Gas IQ: How can organizations foster a culture of collaboration between IT and OT departments to ensure seamless system convergence? 
 
Reynaldo Gonzalez: Building on what I mentioned earlier, cross-training is a key method for establishing better collaboration, allowing IT and OT teams to work together and understand each other's initiatives. From the cybersecurity perspective, it's good to understand the pain points and challenges faced by OT teams and how to provide value and support to enable smooth business operations. Conversely, OT needs to understand the importance of security and the reasons for implementing security solutions. 
 
Ongoing communication is another piece of the puzzle when it comes to fostering collaboration. Sharing initiatives through leadership support helps ensure alignment. Often, the operations side focuses on keeping the business running and generating revenue, so they may not prioritize security. The goal is to achieve alignment, ensuring operations support and partnering with cybersecurity to implement necessary actions. 
 
Thirdly, having the right OT governance process, from project intake to existing and new solutions, and involving cybersecurity in these processes is important.  
 
Maryam Irfan, Oil & Gas IQ: I understand you’re on the advisory board of our OT Cyber Security Summit! What are you most looking forward to at the event? 
 
Reynaldo Gonzalez: I'm interested in hearing more about how different groups, individuals, and organizations are overcoming industry challenges, especially since some are already advanced in the maturity model. 
 
There's only so much we can assume about what works and what doesn't, but I am eager to learn more about the unique approaches each organization takes. I'm also interested in understanding the strategies others are implementing, how they anticipate challenges, and how they adapt their strategies on the fly if necessary. 
 
Another intriguing topic is how organizations are incorporating Generative AI, like ChatGPT or other AI capabilities, into their digital transformation journeys. Are they thinking about Quantum security – either being resistant to it or leveraging it? It's fascinating to see how this field is evolving. As a Principal Cybersecurity Architect, I want to see the big picture and have a holistic view of different solutions on the market and how they fit into our roadmap and strategy. I'm looking forward to learning about the landscape of various solutions and capabilities and how they address or solve different problems for different customers. 

Learn how to bridge the gap between IT/OT teams to enhance collaboration and strengthen overall cybersecurity in a converged environment at the upcoming OT Cyber Security Summit in Houston, TX from October 28-29.