As Industrial Cyber reports, "Aligning risk and consequence-based approaches across IT and OT environments is crucial for robust cybersecurity." Both environments present their own unique challenges.
In some respects, risk analysis approaches look very similar between IT and OT environments. Sarah Freeman, chief engineer for intelligence, modeling, and simulation at MITRE’s Cyber Infrastructure Protection Innovation Center, told Industrial Cyber, “In both cases, for example, organizations are first asked to identify key systems or data in their enterprise (i.e., you cannot protect that which you cannot see). Similarly, several approaches for defining and mitigating risk are environment agnostic, having applications in both IT and OT spaces. There are some differences in the types of risk, however, as well as which risks are most severe to those environments.”
She highlighted that a commonly quoted example is the IT-focused CIA triangle (i.e., Confidentiality, Integrity, and Availability), which prioritizes the confidentiality of transactions. In contrast, for most OT environments, Availability is king, with encryption rarely used between systems and users.