The State of Digital Transformation and OT/IT Convergence
As we approach the end of an unforgettable year, all industries are recovering from the aftereffects of the global pandemic and contemplating the meaning and purpose of digital transformation. The goals of OT/IT (operational technology/information technology) convergence are far from cohesive, the associated investment costs remain constraining, and pathways to revenues appear fluid – for key stakeholders to commit to and execute on a roadmap. The collaborative nature of such an endeavor to transform legacy systems in critical infrastructure crammed with heterogeneous brownfield and greenfield devices is a daunting prospect. It will require equipment manufacturers, service providers, cloud platform vendors, and device owners/operators to agree on fundamental aspects of change (whose turf is this to lead the charge?).
The OT/IT Global Market Survey
To initiate an open dialog, Mocana conducted a global market survey to solicit views from key stakeholders and security professionals in the fields of OT and IT. The survey respondents, who lead the charge in the battle to protect mission critical devices from cyber risks, provided their perspectives and challenges as they embark on digital transformation in their respective industry segments. This post describes the findings and proposed objectives to empower chief risk officers, solution architects, device vendors, owners and operators on this journey to design and build the next generation of smart connected things – for smart cities, smart homes, smart factories, smart buildings, smart transportation, and smart national defense (yes, we left nothing behind including the kitchen sink).
By all analyst projections, we see an emerging wave in OT/IT convergence that will drive adoption of digital transformation with standards and compliance-based objectives. OT/IT convergence for digital transformation requires a horizontal platform and collaborative effort for multi-tenant scalability (up and out), low latency, device interoperability, and subscription-based services. The opportunities of on-premise and cloud-based managed security service providers are immense, with a subscription-based utility model to manage cyber risks as IoT devices proliferate and penetrate all industry sectors. The OT/IT convergence wave will sweep across brownfield and greenfield devices offering a unified, streamlined, and non-disruptive workflow.
The OT/IT Global Market Survey Findings
Key Factors for Stakeholders
The survey responses provided insights into key factors that are broadly influencing stakeholders and decision-makers about the evolutionary trajectory of devices in narrow-band and broad-band IoT domains.
- Device Tampering
- Device Cloning
- Device Hardening
- Zero Trust Infrastructure with Mutual Authentication and Secure Elements
- Device Recovery
- Track and Trace Updates
- Supply Chain Provenance
- Network Traffic Encryption with Pathway to Post Quantum Cryptography
- Standards & Compliance
- Network Segmentation
Goals for OT/IT Convergence
To paraphrase the proposed goals in one mission statement: “OT/IT convergence for digital transformation requires developing seven habits of trustworthy devices, five degrees of device protection, and three rings of resilience in cyber space.” The reincarnation of devices must begin with the “transformation” objective. There can be no digital transformation without the transformation predicate.
The Seven Habits of Trustworthy Devices
Old habits die hard, bad habits die harder (factory default passwords, unprotected passwords on autonomous devices, implicit/assumed trust, plain text communications, dearth of forensic logs, theft of unprotected intellectual property and mission data at rest). Device transformation is an essential component of digital transformation. The habits to achieve trustworthiness must span over the device life cycle from the time of manufacture, through the lifetime of provisioning, operations, and maintenance in the field, to decommissioning (revocation/removal) of cryptographic artifacts on the device.
The Five Degrees of Protection
The level of protection that a particular device warrants will vary based on device function, resource constraints, cost of harm on compromise, and the price of hardening (at manufacture or in-field retrofit) amortized over the lifetime of the device in the field. The five degrees of device protection are: device identification, device authentication, key protection, data protection and operational trustworthiness. The security controls required depend on the capabilities of the underlying hardware platform and the desired level of cybersecurity compliance based on the industry segment.
The Three Rings of Resilience
Building perpetual resilience requires a foundation of trust at the core, a shield of protective countermeasures against insider and external threats, and measurement-based risk indicators for AI/ML powered timely and remote intervention. The pathways to cost effective distributed risk management, operational efficiencies, and subscription-based services rooted in a public/private/community cloud-based platform would be illuminated by these rings of resilience.