Combining IT, OT with a security operations center

Companies can help prevent cyberattacks by forming a security operations center (SOC) to get the information technology (IT) and operations technology (OT) on the same page with the same goals.

By Heather MacKenzie January 22, 2019

With the responsibility to keep their companies ahead of all enterprise-wide threats, company leaders are feeling the increased pressure. Oftentimes, these security leaders “grow up” in information technology (IT)-centered roles, leaving them to feel they’ve got threat detection and response under control.

But, what about the operational technology (OT) side of the company?

If operational disruptions or theft of intellectual property aren’t keeping them up at night, they should be. The absence of OT from the digital risk management mix frustrates CEOs and board members alike. That’s because industrial cyber risks continue to increase.

A key part of the solution is simple: An IT/OT security operations center (SOC).

Combined team approach

An SOC is a team, sometimes working at a dedicated facility, whose primary role is to manage and mitigate cybersecurity threats. This team of security analysts and engineers monitors network and device activity to identify and thwart issues. As a result, they protect the business and its sensitive data, plus ensure compliance with industry and government rules.

SOCs can take many forms and models ranging from virtual to co-managed to a dedicated, in-house function.

Choosing the right model will depend on a company’s needs and resources. Many companies are opting for a SOC over other options as they strive for more control over security monitoring and how they handle threat mitigation.

But, these SOCs often only include IT systems. As threats to OT systems intensify, there are several key reasons to add in OT and evolve into an integrated, enterprise-wide SOC. They include:

  • Better communication. By monitoring all systems in a centralized SOC, there’s less risk for communication breakdowns between separate OT and IT teams. You also eliminate the likelihood of incidents being dropped when passed between teams.
  • Reduced costs. Instead of having two SOCs – one for IT and one for OT – it’s far more cost-effective to combine the two under one umbrella with shared resources, technology and facilities.
  • Combining overall knowledge. To properly protect OT systems, it takes IT skills and OT knowledge. Many teams find it easier to train IT people on OT sensitivities than OT people on IT cybersecurity skills. This is easier to accomplish with a unified SOC.
  • Better awareness. An IT/OT SOC delivers complete situational awareness needed to protect both the business and industrial sides of the organization.

“Organizations with both IT and OT struggle with the coexistence of two separate security and risk management functions. This leads to a dispersed view on the overall operational risk the organization is facing,’ said Gartner in its “How to Organize Security and Risk Management in a Converged IT/OT Environment” report.

“In a continuously evolving threat landscape, a single established security and risk management function is better-positioned to address these threats across both IT and OT. A single leader of this function can also be held accountable for the organization’s overall digital risk. As an added benefit, scarce security resources can now be deployed to address both IT and OT,” the report said.

IT/OT SOC transition

While choosing to move to an enterprise-level SOC is an important choice, it will take time and thought to execute. OT systems come with security challenges that are unique. Meeting OT’s security needs will require a deeper knowledge and understanding by the overarching SOC team.

Before beginning a transition, consider and discuss how to tackle these three critical areas:

  • Technology – It’s important to ensure any solutions meet OT’s specific requirements and can integrate into the existing IT SOC infrastructure. Both are equally important. A gap on either side will create barriers to a successful transition.
  • Resources – An enterprise-level SOC needs people who specialize in industrial aspects. These team members might work out of the company’s facility, or they could be part of a virtual or extended team. No matter how its resourced or staffed, expert industrial and OT knowledge will be a necessity. One way to avoid issues is to keep the team members at one physical location and provide appropriate cross-training.
  • Accountability – The only way to bring IT and OT together is creating a culture of unity starting from the top down. It is important to have the teams report to one leader and to share common goals and key performance indicators (KPIs). As teams begin to merge, they should go through exercises to get to know one another and understand the other’s priorities and challenges. The faster they can seamlessly work as a team, the more successful the IT/OT SOC will be at achieving its goals and delivering business value.

Cyber resiliency

A IT/OT SOC is a forward-thinking way to address and mitigate cyber risks companywide. A combined structure taps into the individual strengths of IT and OT team members, ultimately creating a faster, comprehensive and more cost-effective approach to digital risk management.

This content originally appeared on ISSSource is a CFE Media content partner. Edited by Chris Vavra, production editor, CFE Media,

Original content can be found at

Author Bio: Heather MacKenzie is an ICS cybersecurity specialist at Nozomi Networks. She has worked in industrial cybersecurity since 2008. She helps OT/IT teams responsible for industrial control networks understand cyber risks.