Understanding Shadow IT Risk for OT Departments

Here we will explore the Shadow IT Risks for OT Departments. Operations Technology groups can be an integral part of important business functions like production, maintenance and more. This means there are a lot of IT related functions which can be handled by the OT department members in terms of functionality. However, not involving the IT department could mean these IT functions could cause potential security concerns. The OT department member might not be aware of the exact way of handling the IT function like a professional IT member can. Easy attack vectors like servers, insecure IoT devices can pose as common security threats.

Shadow IT has been an increasing trend in the LoB departments. According to a C-space report, LoB managers spent more than 30% of their time making IT decisions. A likely reason is, it’s faster to get things done sometimes without going through an IT department who already are bandwidth constrained. With the rise of high-tech industrial equipments, the dependence on IT related operations increase. According to an IDC report, it predicts IoT spending will reach $1.1 trillion in 2021. This is really placing a higher demand on IT functions, thus needing IT guys in the OT departments.

What’s The Problem?

In short, OT Department is responsible for major functions in the organization and doesn’t necessarily coordinate with the IT department for all IT needs. The enormous small activities get work done faster but this ends in orphaned assets and various other vulnerabilities that the OT department person didn’t have the skills to handle.

Possible Mitigation Strategies

  • Stricter IT Policy

Stricter IT policy for connected OT systems could be a solution. However, there are implementation challenges. The OT department may not deem it necessary to contact the IT. OT Department has the responsibilities of production, maintenance and thus like might to retain the authorities here. The IT may have to enforce more severe actions.

The IT concerns may be well founded based on the trending reports. According to a Gartner report, it predicts by 2020, IoT will be involved in more than 25 percent of known enterprise security attacks.

The OT-IT convergence and departmental cooperation seems like a healthy balance to lower costs, increase efficiencies and minimize Shadow IT.

  • Using Third Party Vendors With Integrated Solutions And Converged Skills (OT-IT)

These parties can have a set of understanding on both departmental skills (major ones), thus bringing in great flexibility. Advanced OT technologies can be complicated in terms of implementation. This third party adds in a pool of skill resources which are transferable between the OT and the IT departments.

  • Continuous IT – OT Asset & Risk Identification

Various tools like Shodan can help in achieving this. The continuous tracking /risk identification of all IT – OT (inter-department) assets can help. The IT department can then formulate their policy to meet the needs of the OT department and even formulate training programs for the simple requirements empowering OT department.

Reference :


E-mail me when people leave their comments –

CISO Platform

You need to be a member of CISO Platform to add comments!

Join CISO Platform

RSAC Meetup Banner

CISO Platform

A global community of 5K+ Senior IT Security executives and 40K+ subscribers with the vision of meaningful collaboration, knowledge, and intelligence sharing to fight the growing cyber security threats.

Join CISO Community Share Your Knowledge (Post A Blog)