Implementation Conflicts of Cybersecurity Management Systems

This white paper addresses the conflicts that may arise when implementing cybersecurity management systems (CSMS) in IT/OT environments. It outlines the challenges faced as industrial environments become increasingly connected and reliant on cloud-based solutions, leading to a convergence of IT and OT systems. The document discusses relevant standards, including ISA/IEC 62443-2-1 and ISO/IEC 27001/2, and highlights specific examples of conflicts that can occur when extending IT security measures to OT environments. Three examples are provided: the control of clear desk and clear screen policies, secure authentication practices, and the management of authentication information. Each example illustrates how certain IT-oriented controls may conflict with the operational needs of OT environments, emphasizing the need for a careful and prioritized approach to ensure safety and operational continuity. The paper concludes with recommendations for conducting security maturity reviews and assessments to evaluate and improve the cybersecurity posture of organizations operating in both IT and OT domains.