The blurry line between information and operational technology
As Canada’s digital infrastructure transforms, the lines between information technology (IT) and operational technology (OT) are blurring. Businesses now rely on integrated systems that connect data-driven insights with real-world operations — further integrating IT and OT. While this convergence unlocks efficiencies, it also creates new vulnerabilities, particularly in the energy, manufacturing, and transportation sectors.
OT systems that were once free from external threats are now prime targets for cybercriminals. Ransomware attacks can halt production, disable power grids, and interrupt transportation networks.
In 2021, the U.S.’s Colonial Pipeline suffered a ransomware attack on the IT side of the business via a virtual private network. The organization proactively shut down pipeline operations to prevent the breach from spreading to their OT systems. In the end, Colonial Pipeline paid a $4.4 million ransom to regain control and ensure the breach did not impact its operational technology.
At the same time, generative AI is reshaping cyber security — offering both defensive advantages and new weapons for attacks. As risks increase, organizations must rethink their governance strategies, balancing innovation with security.
OT incidents on the rise
Fraudsters are shifting from targeting IT networks to OT environments, where downtime can be crippling. And the growing frequency and cost of ransomware attacks demand enhanced cyber security measures. Organizations must prioritize resilience through improved incident response planning, employee training, and investment in advanced detection technologies.
AI is both a cyber security tool and a threat to your IT and OT systems, particularly generative AI (Gen AI). In fact, the Canadian Internet Registration Authority reported that 70 percent of cyber security professionals expressed concern about potential cyberthreats from Gen AI, particularly when it comes to data gathering by AI tools (61%) and improved phishing tactics (56%).
As these AI-driven threats grow, organizations must adopt smarter monitoring, tighten data controls, and develop ethical AI policies to stay ahead.
Risks to watch
Ransomware attacks: Ransomware remains the top cybercrime threat, directly disrupting critical infrastructure and essential services.
State-sponsored cyberthreats: Nation-state actors are engaging in espionage and intellectual property theft.
Phishing and social engineering: Phishing attacks continue to be prevalent, exploiting human vulnerabilities to gain unauthorized access to systems, impacting both IT and OT.
Legacy system weaknesses: Outdated IT and OT infrastructure poses security risks and hinders the adoption of modern technologies.
Insider threats: Internal hackers continue to pose significant risks to organizational security.
Supply chain vulnerabilities: Risks associated with third-party vendors and supply chains are rising, which could potentially compromise organizational security.
Regulatory compliance challenges: Evolving regulatory requirements demand continuous adjustments to compliance strategies, impacting IT and OT operations.
Advanced persistent threats: Sophisticated, targeted cyberattacks aimed at stealing data or disrupting operations are becoming more prevalent.
IoT vulnerabilities: The growing number of IoT devices expands the attack surface, introducing new security challenges for both IT and OT.
Operational disruptions from cyber incidents: Cyber incidents lead to operational disruptions, affecting productivity and service delivery.
Mitigation strategies
- Strengthen cyber defenses
- Upgrade legacy systems
- Improve employee training and conduct regular security training
- Assess supply chain security
- Establish insider threat programs
- Ensure regulatory compliance
- Monitor for advanced persistent threats
- Security measures on IoT devices
- Develop incident response plans
- Security is holistic considering both IT and OT environments
Questions to consider
- How can your organization address the evolving cyber security threats to IT and OT systems as critical infrastructure becomes a prime target for attacks?
- What measures are being taken to harmonize IT and OT governance, given their different operational priorities and security requirements?
- How will Canadian regulations and global standards shape IT/OT governance and strategy in the future?
- What strategies are being implemented to manage the talent and skills gap in IT and OT convergence, particularly in the context of emerging technologies like AI and IoT?