Converging IT and OT Security: Learning lessons from the golf course

Line of Defence Magazine - Autumn 2022

Old school scoring. Image supplied.

If 21st century golf tournaments can get security convergence right, writes Consultant to Fortinet and 2021 #1 IFESEC Global Influencer in Security Jennie Vickers, why is it that organisations’ Boards and C-Suites struggle to do so?

One memorable weekend in the 80s I attended my first one-day county cricket match in Sussex, England. The cricket was a cover story for a pub crawl around Youngs’ Pubs to secure Young’s Passport Stamps (I am yearning for the days when this was the only passport that mattered to get you into a pub!).

We had two tickets to the cricket and there were four of us. I went in with my ticket and followed the lead to the back of the ground, where there was a cute garden gate. The rest of the group strolled in via the open gate. This was a typical scenario of 80s slack, almost non-existent perimeter security and no concerns about the security of the scoring data – the tin with the numbers was under the fierce eye of the octogenarian scorer.

Fast forward to 2022 and the DP World Tour Abu Dhabi Golf Championship was underway. With 47 tournaments around the world, the DP Team CTO Michael Cole said: “[we are not] building small towns, we are building smart cities.” Regardless of your definition of a smart city, it is hard to disagree that this model of convergence between physical and IT security, is an emerging feature of our times.

The topic of IT/OT security convergence is not new. Known potential threats to infrastructure climbed up risk registers decades ago. Even though it has been a topic of discussion – particularly in utilities – for years, IT/OT convergence continues to vex many businesses and many professional communities to this day.

From one perspective, the decision way back to air gap OT systems and to keep them distanced from IT and its incessant growth and change, made perfect sense. However, it also meant a growing gap not just of air, but of everything. Risk appetites, capex, opex, staff, strategic prioritisation etc, etc.

Read this article in the digital edition:

IndustrialCyber’s Essential Guide to IT/OT convergence says: “Just like in the famous relationship book by John Gray, Men Are from Mars, Women Are from Venus, the folks behind the IT and OT networks are extremely different with disparate perceptions, worldviews, and purpose.” Mars and Venus views are hard to converge.

Digital Transformation and the speed of the arrival of IoT, has caused many organisations to recognise that the Venus and Mars teams need to work together. Not everyone has found this obvious imperative easy to implement.

I have been mulling over why IT and OT have stubbornly stayed apart and wondering why Boards of Directors and CEOs have not been insisting on more secure and joined-up approaches sooner.

Fortinet introduced the concept of the Fortinet Security Fabric back in the last decade. The concept makes perfect sense. In 2020, described the Fortinet Security Fabric as “just like actual fabric – many individual fibers weaved together – the Security Fabric is Fortinet’s vast security portfolio intertwined. In short, it’s an integrated solution allowing you to see, manage, and secure your network products in one place.” This definition resonates.

Last year, Gartner brought to market the concept of cybersecurity mesh architecture, saying it “provides a foundational support layer that enables distinct security services to work together to create a dynamic security environment.”

Talking this week, Fortinet’s EMEA CISO Alain Sanchez commented to me that “these integrated approaches are becoming a must. Where we used to have hours and sometimes days to mitigate an attack, we are now dealing with micro-seconds. During this critical and tiny time window, we have to assess whether incoming traffic is legitimate, bringing value and serving in real time the user experience or, is in fact an attack whose consequences can be dramatic. The right decision happens when and only when we have that holistic convergence of security”.

Whether you say ‘fabric’ or ‘mesh’, ‘tow-may-tow’ or ‘tow-mah-tow’, the concept of integrating, converging, and intertwining physical and cyber security makes sense. So why are we not making it happen faster?

Back to the golf.

Alain Sanchez last week posted on Linkedin a short video about the Abu Dhabi Golf, interviewing the DP CTO Michael Cole about the course and reiterating the idea that it’s “a smart city that gathers all the challenges of IT and cyber security in one go.”

This graphic extracted from the video illustrates the range of data, infrastructure, and facilities they are building and integrating every week in a new location (the video can be found on LinkedIn:

If the DP Team can do this all around the world and ensure security, week in and week out, it must be possible for the professionals from Venus and from Mars to do the same thing.

This week I heard about the new Architecture and Built Environment Degree running at AUT University. In Year Three, students “explore the overlap between architectural and entrepreneurial thinking as strategies for working in uncertain contexts, and the impact of innovation, computational intelligence, emerging technologies and integrated systems on architecture.”

It is exciting to see this example of study recognising the need for this integration of approaches, while industry is still getting its head around the what and the how.

If a ‘fabric’ mindset is not getting traction from your C-Suite or Board to support IT/OT convergence, maybe you need to remind them that your organisation is effectively a ‘smart city’ and that it’s only dumb cities fail to join up the dots.