Safety challenges specific to industrial control systems and IT/OT convergence
IT/OT convergence: the crucial challenge of industrial cybersecurity
At the First Edition of Lyon Cyber Expo, Thierry Rouquet, VP at Digital League, Franck Bonnard, Consultant in Connectivity and Cybersecurity for IT-OT Converged Environments at NXO – Adira, Hicham Ben Hassi, CEO & CTO of AlgoSecure, Ludovic Benhamou, Security Engineer at Tenable, and Jean-Christophe Marpeau, Consulting Engineer at Cap’tronic, tackled the critical issue of IT/OT convergence. This strategic challenge is essential for securing industrial infrastructures in a context of increasing digitalization and stricter regulations.
The digitalization of industry, a driver of competitiveness and innovation, also exposes infrastructures to heightened cybersecurity risks. With standards such as IEC 62443 and directives like NIS2 imposing growing obligations, IT/OT convergence (information technologies and operational technologies) has become a strategic necessity for industrial companies.
According to Thierry Rouquet, former cybersecurity entrepreneur and vice-president of Digital League: “The price to pay for industrial digitalization is the increased attack surface. Cybersecurity challenges in the industry are not limited to protecting data but also involve ensuring production continuity and the safety of people.”
A complex reality, balancing legacy systems and modernisation
The integration of IT into OT presents specific challenges, particularly related to the obsolescence of industrial systems. Ludovic Benhamou, an engineer at Tenable, emphasizes: “Industrial equipment was not designed with cybersecurity in mind. Their recent connectivity makes them visible and vulnerable, requiring an entirely different approach compared to traditional IT.”
This specificity is also reflected in the life cycles of equipment. Hicham Benassine, Technical Director at AlgoSecure, provides a striking example: “During an audit on an oil platform, it was crucial to ensure a secure state in 2023, knowing that the platform would remain in service for 30 years without updates.” But beyond the technical aspects, it’s also a matter of culture and skills.
Franck Bonnard, a consultant at NXO, emphasizes: “IT and OT have long been two separate worlds. It is crucial to create mixed teams where everyone can bring their vision and expertise.“
Best practices for successful IT/OT convergence
While the challenges are numerous, solutions lie in a gradual and pragmatic approach:
- Start with a risk analysis: Identify critical systems to allocate resources where they are most needed.
- Gain full visibility of equipment: Understand who is connected, what vulnerabilities exist, and how they can be exploited.
- Adopt proven standards such as IEC 62443: This standard offers a clear methodology to segment networks and limit the impact in case of an attack.
Franck Bonnard suggests an approach based on “small victories”: “Start with accessible projects, such as secure remote access or basic network segmentation. These initial successes will strengthen collaboration between IT and OT, paving the way for more ambitious initiatives.”
A human and organizational challenge
At the heart of this convergence, field operators play a central role. Their awareness and training are essential to avoid costly human errors, as Franck Bonnard humorously reminds us: “During an audit, we found an operator charging his phone on a critical station. Such practices can undermine all security efforts.”
The key to success also lies in leadership support. Involving top management in risk analysis, presenting concrete scenarios, and quantifying potential impacts are powerful ways to mobilize the necessary resources.
A strategic imperative in light of regulatory deadlines
With the NIS2 Directive, the Cyber Resilience Act (2027), and new machine regulations, industrial companies no longer have a choice: they must act now. According to Thierry Rouquet: “Companies must adopt a progressive approach. Waiting could cost much more in case of an attack or non-compliance.”
In conclusion, IT/OT convergence is not just a technical issue. It’s a global challenge, combining cybersecurity, operational continuity, and cultural adaptation. In the face of growing threats and an increasingly strict regulatory framework, achieving this convergence is an essential priority for the industry of tomorrow.
Lyon Cyber Expo, 19 September 2024, Salle Fourvière – Synopsis
For a long time, cyber risks in the industrial world seemed to concern only sensitive sectors, such as energy or nuclear power. But a number of cyber-attacks have demonstrated the contrary: whatever the nature of operational networks and their fields of application, they can find themselves exposed to computer malicious acts at any time. This is all the more true now that connected industrial systems (CIS) are an integral part of the company’s global information system (IS), increasing the surface area for attack. They are at the heart of the famous “IT/OT convergence”. In the context of industrial automation and all its associated constraints, what solutions can be deployed, and in what stages, in particular within the framework of IEC 62443, the essential standard for industrial cybersecurity?
Photo credit : Freepik