Four ways to converge physical and cybersecurity in industrial operations

Physical and cybersecurity are becoming more intertwined, which can create potential headaches between information technology (IT) and operational technology (OT). See four ways organizations can make the convergence easier.

By Jonathan Lang February 25, 2021

Cybersecurity is relatively recent top concern for industrial enterprises. A number of high-profile security incidents like the hacking of a Florida water treatment plant, have brought the topic into public scrutiny but the issue has been of growing importance for several years.

According to IDC’s 2020 IT/OT Convergence survey of over 1,000 IT and operations professionals in the manufacturing, oil & gas, utilities, and mining industries, concerns about the security of integrating information technology (IT) and operational technology (OT) systems is the number one barrier to advancing their technology initiatives.

However, the air-gapped approach to isolating OT systems industrial networks from outside access is no longer an option as the benefits to connecting these systems have created new performance expectations to remain competitive. This is the current paradox of OT cybersecurity.

Most organizations are approaching cybersecurity from a very IT-centric. Operations has a requirement to connect data systems to the cloud for remote access and advanced analytics and IT is expected to secure the process. Traditional IT approaches to network and endpoint security are deployed and projects are permitted to advance to meet operational needs. Operational needs and processes are dynamic and nuanced, which is a problem because traditional IT security approaches tend to rely on a fixed set of knowns, flagging anomalies as potential incidents.

Operational processes and changes tend to result in significant blind spots and false flags from a security perspective, which can desensitize operations staff to security issues. Complicating matters, the most serious security threats, like the one in Florida, require a combination of access to sensitive data and the subject matter expertise to interpret and manipulate it to cause harm. Most of the time, these disruptions can only be executed through ignorant or a malicious or ex-employee.

Monitoring access-based behavior in operations is the responsibility of physical security groups who manage access to facilities and witness the actions of staff in an operational environment. Monitoring processes for healthy changes and execution is the responsibility of operations professionals. These two groups provide the necessary day-to-day context to identify suspicious behavior. So long as cybersecurity remains a separate responsibility with IT oversight, the potential digital insider threat remains unaddressed.

That’s why forward-thinking industrial security companies are integrating their physical and cybersecurity organizations and systems according to IDC data from the same survey.

Four ways to achieve physical, cybersecurity integration

These converged physical and cybersecurity initiatives take a holistic approach to key security requirements and focus on integrating security into operational processes. Security should be seamless and unencumbering for operations professionals; the only way to achieve this is empowering operations to be self-sufficient and self-governing. Here are four ways an integrated physical and cybersecurity approach can achieve this:

  1. Data and remote access policies and governance models can be developed and managed in concert with physical operations role and access policies. For example, granting and revoking a third-party service employee physical and data access to maintain an asset.
  2. Detecting cyber anomalies in the context of a physical change order to reduce false positives. For example, recognizing an operating parameter will be adjusted and having threat detection systems adapt to this change in real time.
  3. Non-intrusive monitoring of both physical and digital processes concurrently. In the example of the Florida water treatment plant, an operations supervisor monitoring the process detected sodium hydroxide levels increase. Had they been empowered to monitor remote access and notice the unusual activity, the intrusion would have been detected before the change was made. In an integrated approach, physical access can be approached like production asset monitoring with upper and lower bounds, trend analysis, multivariate diagnostics, etc.
  4. Integrating device security into asset commissioning processes reduces blind spots by making security inherent to engineering processes.

In operations, the notion of IT cybersecurity is viewed as a tedious and disruptive activity that runs counter to operational performance. To adopt new Industry 4.0 capabilities without increasing enterprise risk, security practices must become inherent to operational processes. It’s up to operations professionals to opt-in and take charge of these responsibilities to improve cyber protections.

Jonathan Lang is research manager for IDC focused on IT/OT convergence strategies. Edited by Chris Vavra, web content manager, Control Engineering, CFE Media and Technology,

ONLINE extra

IDC is a global provider of IT market research and advisory services where we help enterprises to build and execute their technology strategies.

Original content can be found at

Author Bio: Jonathan Lang is research manager for IDC focused on IT/OT convergence strategies.