How can CIOs join up the security of their IT, OT and IoT layers?

Tim Best,
Executive Director, Ernst & Young AB

The internet of things (IoT) is unexpectedly forcing an intersection between Information Technology (IT) and Operational Technology systems and the internet. And organizations need to address it now.

With IT systems coming out of the back rooms, and OT hardware being fitted with internet-connected sensors, the IoT is pushing together what were completely siloed technology layers and launching them into the online world.


Of course, that is not necessarily any organization’s intention – but the intersection of these layers poses serious potential risks to almost everyone.

For the CIO, addressing this should be an urgent priority.

How should organizations address these layers?

As most CIOs know, cybersecurity should never be a bolt-on – it needs to be embedded in daily operations. However, the intersection of IT, OT and IoT needs extra care and attention to get there.

EY recommends one of two approaches.

The top-down approach

The digital revolution is causing the technology and operations of numerous different organizational siloes to be pushed together – but the organizational structure is often not keeping pace, so may need to be reengineered.

Organizations by and large are well practiced at managing the information systems and health and safety procedures of the pre-IoT era. Today, many organizations have innovation officers to develop new IoT-driven revenue streams, officers who look after the physical safety of operatives in the industrial environment, and the CIO or CISO whose role was to protect systems.

But because all these responsibilities are now being mixed together, the CIO needs to coordinate and oversee the transformation to a state where the organization can drive innovation without opening itself to cyber risks.

CIOs can begin by conducting a cybersecurity maturity assessment across a number of domains including:

  • Governance and organization
  • Awareness
  • Asset management
  • Data protection
  • Identity and access management

This top-down view can help identify the weakest link in operations and begin to redefine the policies, standards, procedures and governance of the entire organization.

The bottom-up approach

This approach involves a risk-based assessment of current operations, asking: what vulnerabilities exist and can be exploited? What is the potential business impact? And what can we do to manage them?

With IoT technology already installed, CIOs can create a timetable for regular security testing across all technology layers – from sensors to analytics to applications, whether whole products or individual components.

The bottom-up approach may also cover:

  • The use of secure code from code libraries
  • Regular patching of the firmware
  • Sourcing technology from reputable companies
  • Passing security requirements to suppliers and third parties all the way down supply chains

Testing of IoT technology in live production OT environments is very different to traditional enterprise IT. Often, when new vulnerabilities are identified they cannot be fixed right away, but need careful management until a scheduled maintenance window so downtime is minimized.

What is the imperative?

CIOs need to take the initiative to secure their technology layers to mitigate risks.

In the very near future, General Data Protection Regulation (GDPR) harmonization in the EU will require organizations to handle data securely – and set fines of up to 4% of gross turnover for non-compliance.

Currently there is no equivalent of universal health and safety standards for IoT, and information security standards for IoT design, build and operate are still several years away.


CIOs can address the security issues resulting from IoT:

  • Examine whether they are considering risks from across their entire network
  • Consciously integrate IT, OT and IoT
  • Manage the governance of all three layers

By not thinking about the security flipside of innovation and digital, CIOs may be at best missing out on an opportunity – and at worse needlessly opening their organizations to risk.

Legal disclaimer: The views expressed are those of the author only and do not represent the views of any of the member firms of Ernst & Young Global Limited.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s