Bridging the Divide: The Convergence of IT and OT in Cyber Security
Guest blog by Matthew Mackay CISM CITP MBCS ChCSP MCIIS, Security Practice Lead at Logiq Consulting
Over the last decade, we have witnessed the convergence of Information Technology (IT) and Operational Technology (OT), a shift often linked to Industry 4.0 or the Fourth Industrial Revolution. This integration offers significant benefits, such as enhanced connectivity between systems, but also introduces new risks that must be managed effectively. As IT and OT become more interconnected, cybersecurity practitioners must move beyond the traditional Confidentiality, Integrity, and Availability (CIA) framework to address the broader security challenges that this convergence introduces.
Historically, cybersecurity has focused on protecting IT systems by safeguarding sensitive data (Confidentiality), ensuring data accuracy (Integrity), and maintaining system availability (Availability). While the CIA triad remains fundamental, it provides a limited perspective when applied to the converging world of IT and OT. By focusing solely on information-centric risks, we may overlook broader strategic risks that impact the organisation’s mission and operational safety. To properly understand and manage risks in this new landscape, we need to evolve our approach to include both IT and OT contexts whilst maintaining alignment with the organisation objectives.
A holistic approach to cybersecurity is now essential. IT and OT networks are complex, and their integration demands that we consider security from a broader perspective. Beyond just protecting information, we must recognise that a breach in one domain can have direct consequences on the other. For example, OT systems, which control physical processes in industries like energy, manufacturing, and transportation, prioritise safety and operational continuity. Cyberattacks on these systems could lead to physical damage or even jeopardise human safety, demonstrating the need for cybersecurity to extend beyond the information-centric CIA triad.
Expanding beyond the traditional framework, cybersecurity professionals must incorporate concepts such as Authentication and Non-Repudiation. Authentication ensures that system access is limited to verified users, reducing the risk of unauthorised access, while Non-Repudiation ensures accountability by confirming that actions taken within a system can be attributed to specific individuals. These considerations help address the evolving nature of threats in today’s interconnected environments.
Figure 1 - Expanding beyond the CIA Triad
As IT and OT systems merge, a more socio-technical approach to security is required. Cybersecurity must encompass not just the technical aspects of systems but also the people and processes that interact with them. This means adopting strategies that view cybersecurity and cyber resilience through multiple lenses, understanding how technology, human behaviour, and organisational processes contribute to overall security.
Figure 2 - Sociotechnical Nature of Cybersecurity
Furthermore, as these integrated systems evolve, the risk landscape rapidly changes. Cybersecurity strategies must reflect this by considering Safety alongside traditional cybersecurity objectives. By broadening the scope of security to encompass safety and resilience, we can protect not only data but also the physical processes that underpin critical infrastructure. A strategic, holistic approach taking into account both the convergence of IT and OT systems and their socio-technical nature ensures a fuller understanding of the risks and allows organisations to implement comprehensive solutions that protect both digital and physical assets.
In conclusion, the convergence of IT and OT calls for a cybersecurity approach that goes beyond the traditional CIA triad. By incorporating broader concepts such as Authentication, Non-Repudiation, and Safety, and by recognising the socio-technical nature of security, organisations can better manage evolving risks. This integrated perspective ensures the protection of data, the resilience of critical infrastructure, and the alignment of cybersecurity efforts with both operational and strategic objectives.
Cyber Security Programme activities
techUK brings together key players across the cyber security sector to promote leading-edge UK capabilities, build networks and grow the sector. techUK members have the opportunity to network, share ideas and collaborate, enabling the industry as a whole to address common challenges and opportunities together. Visit the programme page here.
techUK’s Innovation in Cyber Security and Resilience Impact Day 2024
Welcome to our Innovation in Cyber Security and Resilience Impact Day 2024!
We will be publishing case studies, blogs and vlogs from our members which demonstrate some of the most significant innovations which ensure the UK’s digital infrastructure is secure against cyber threats.
On Thursday 10 October, techUK will host our sixth annual Cyber Innovation Den, one of our flagship cyber events which focus on providing valuable opportunities for the UK cyber security community to network, celebrate the brightest innovations within the sector and to explore the key issues facing it
Our members develop strong networks, build meaningful partnerships and grow their businesses as we all work together to create a thriving environment where industry, government and stakeholders come together to realise the positive outcomes tech can deliver.
Jill leads the techUK Cyber Security programme, having originally joined techUK in October 2020 as a Programme Manager for the Cyber and Central Government programmes. She is responsible for managing techUK's work across the cyber security ecosystem, bringing industry together with key stakeholders across the public and private sectors. Jill also provides the industry secretariat for the Cyber Growth Partnership, the industry and government conduit for supporting the growth of the sector. A key focus of her work is to strengthen the public–private partnership across cyber to support further development of UK cyber security and resilience policy.
Before joining techUK, Jill worked as a Senior Caseworker for an MP, advocating for local communities, businesses and individuals, so she is particularly committed to techUK’s vision of harnessing the power of technology to improve people’s lives. Jill is also an experienced editorial professional and has delivered copyediting and writing services for public-body and SME clients as well as publishers.
Programme Manager, Cyber Security and Central Government, techUK
Annie joined techUK as the Programme Manager for Cyber Security and Central Government in September 2023.
Prior to joining techUK, Annie worked as an Account Manager at PLMR Healthcomms, a specialist healthcare agency providing public affairs support to a wide range of medical technology clients. Annie also spent time as an Intern in an MPs constituency office and as an Intern at the Association of Independent Professionals and the Self-Employed.
Annie graduated from Nottingham Trent University, where she was an active member of the lacrosse society.
Prior to joining techUK, Raya worked in Business Development for an expert network firm within the institutional investment space. Before this Raya spent a year in industry working for a tech start-up in London as part of their Growth team which included the formation and development of a 'Let's Talk Tech' podcast and involvement in London Tech Week.
Raya has a degree in Politics and International Relations (Bsc Hons) from the University of Bath where she focused primarily on national security and counter-terrorism policies, centreing research on female-led terrorism and specific approaches to justice there.
Outside of work, Raya's interests include baking, spin classes and true-crime Netflix shows!
Tracy supports several areas at techUK, including Cyber Exchange, Cyber Security, Defence, Health and Social Care, Local Public Services, Nations and Regions and National Security.
Tracy joined techUK in March 2022, having worked in the education sector for 19 years, covering administration, research project support, IT support and event/training support. My most outstanding achievement has been running three very successful international conferences and over 300 training courses booked all over the globe!
Tracy has a great interest in tech. Gaming and computing have been a big part of her life, and now electric cars are an exciting look at the future. She has warmed to Alexa, even though it can sometimes be sassy!
Matthew Mackay is the Security Practice Lead at Logiq Consulting. He has been working in cyber security for over ten years with experience in both the Public and Private sectors, including the Ministry of Defence’s Cyber Vulnerability Investigation Programme and Secure by Design initiatives.
