IT/OT Convergence: A Zero Trust Reference Architecture for the Energy Sector
Abstract
The barrier separating IT from OT has narrowed over the past 10+ years. The rate at which it is happened recently has increased . It is no longer enough for utilities and pipelines / refiners to digitally transmit log data, and they should expect cloud backed analytics, to let engineers adjust parameters using remote control rooms and virtual digital twins of physical assets, which allow them to manage facilities across vast geographies. All that information, the ability to use digital technologies, provides tangible business value to these operations, which results in correspondingly wider exposure of the systems running them. Today's paper examines IT/OT convergence as a business requirement that represents an ongoing security challenge. It discusses and proposes an adaptable zero trust reference architecture comprising five layers-identity, device, network, application and data-that energy sector environments may deploy within existing frameworks to better mitigate cybersecurity threats. We rely on case examples drawn from actual cyberattacks and disclosures over 2020 through mid 2022 to inform this architecture, which also reflects recommendations made by organizations such as NIST, CISA and IEC. Than offering a vendor neutral checklist or prescriptive list of recommendations, the goal of this discussion is to provide a strategic framework within which architects can make decisions about OT/IT convergence as it relates to operational security
Article Information
Journal |
International Journal of Science, Research and Technology |
|---|---|
Volume (Issue) |
Vol. 5 No. 5 (2022): International Journal of Science, Research and Technology (IJSRAT) |
DOI |
|
Pages |
8494-8502 |
Published |
September 9, 2022 |
| Copyright |
All rights reserved |
Open Access |
This work is licensed under a Creative Commons Attribution 4.0 International License. |
How to Cite |
Vilas Shewale (%2022). IT/OT Convergence: A Zero Trust Reference Architecture for the Energy Sector. International Journal of Science, Research and Technology , Vol. 5 No. 5 (2022): International Journal of Science, Research and Technology (IJSRAT) , pp. 8494-8502. https://doi.org/10.15662/IJSRAT.2022.0505002 |
References
[2] U.S. Cybersecurity and Infrastructure Security Agency, Department of Energy, Federal Bureau of Investigation, and National Security Agency, “APT Cyber Tools Targeting ICS/SCADA Devices,” Joint Advisory AA22-103A, April 13, 2022.
[3] ESET Research, “Industroyer2: Industroyer Reloaded,” white paper, April 2022; Mandiant, “Industroyer.V2: Old Malware Learns New Tricks,” April 2022.
[4] S. Rose, O. Borchert, S. Mitchell, and S. Connelly, “Zero Trust Architecture,” NIST Special Publication 800-207, August 2020.
[5] T. J. Williams, “The Purdue Enterprise Reference Architecture,” Computers in Industry, vol. 24, no. 2–3, pp. 141–158, 1994.
[6] World Economic Forum, “Global Cybersecurity Outlook 2022,” January 2022.
[7] Dragos, Inc., “Year in Review 2021: ICS/OT Cybersecurity,” February 2022.
[8] Verizon, “2022 Data Breach Investigations Report,” May 2022.
[9] IBM Security and Ponemon Institute, “Cost of a Data Breach Report 2022,” July 2022.
[10] U.S. Cybersecurity and Infrastructure Security Agency, “Shields Up” guidance and advisory series, February 2022 onward.
[11] J. Kindervag, “No More Chewy Centers: Introducing the Zero Trust Model of Information Security,” Forrester Research, September 2010.
[12] The White House, “Executive Order 14028: Improving the Nation’s Cybersecurity,” May 12, 2021.
[13] International Electrotechnical Commission, “IEC 62443: Security for Industrial Automation and Control Systems,” multi-part series, 2013–2020.
[14] K. Stouffer, V. Pillitteri, S. Lightman, M. Abrams, and A. Hahn, “Guide to Industrial Control Systems (ICS) Security,” NIST Special Publication 800-82 Revision 2, May 2015.
[15] National Institute of Standards and Technology, “Framework for Improving Critical Infrastructure Cybersecurity,” Version 1.1, April 2018.
[16] European Union Agency for Cybersecurity (ENISA), “Threat Landscape 2021,” October 2021.
[17] U.S. Department of Homeland Security, Transportation Security Administration, “Security Directive Pipeline-2021-01 and Pipeline-2021-02 (revised),” 2021–2022.
[18] U.S. Cybersecurity and Infrastructure Security Agency and Federal Bureau of Investigation, “DarkSide Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks,” Joint Advisory AA21-131A, May 2021.