Many organizations use the ISO 27001 standard for information security. Because the IT department is familiar with this standard, they tend to design cyber security for the OT using to the same standard. The IT specialists often have insufficient knowledge of the specific characteristics and priorities of the process automation environment. As a result, the associated requirements for cyber security are, unintentionally, overlooked. Often simply looking for a similar approach for IT and OT, but with unwanted consequences as a result.
A different perspective
IT cyber security is mostly about securing information, whereas OT cyber security is mostly about system availability and integrity; In other words the security of the process. What happens if you are unable to monitor the primary process within the process control environment? Not to mention what would happen if you were to lose controll of the process. In some sectors it is essential to always have control over the process. For example, sectors such as water, energy and chemical. Loss of control can lead to catastrophic incidents.
It is important to maintain a dialogue between the IT and OT specialists of the organization. The OT specialists know the specific dynamics of the OT environment and can explain how access management, patching, antivirus, and change management within the OT environment is completely different than within the IT environment. And it is by seeking dialogue and listening carefully to the priorities of OT, that a collective approach to cyber security can work.