An exploration of the need of OT governance and the adaption of IT governance frameworks to fulfil this requirement
Thesis (MBA)--Stellenbosch University, 2015.
ENGLISH ABSTRACT: Corporate governance codes such as King III are focussing on IT governance due to the strategic nature of IT systems and the impact security breaches or failure of IT systems can have on a company’s sustainability. The convergence of Operational Technology (OT) and IT brings about both risks and opportunities for OT systems, while further entrenching their strategic nature within organisations. These systems are therefore key to the sustainability of an organisation and this necessitates the extension of sound governance not only to IT but also to OT. In many organisations, due to the previously closed or proprietary nature of OT systems, no governance controls or frameworks have traditionally been needed or put in place for OT systems. The aim of this research was to explore whether the lack of OT governance controls or framework within OT reliant organisations could be addressed by adapting and implementing leading IT governance models for OT systems due to the convergence between traditional IT and OT. The research methodology employed was a literature review followed by the selection and adaptation of a leading IT governance framework for OT governance. Additional data regarding OT incidents was gathered from the author’s own organisation and documented as mini case studies to determine if OT governance could have mitigated or minimised the impact of the documented OT incidents. The research showed that IT and OT are converging on two fronts, firstly due to integration between IT and OT and secondly due to the sharing of common technologies at a hardware, software and network layer. The research also indicated that the security risks facing IT continue to grow in number and sophistication. By extension, due to the technology convergence, these risks are now extending to OT systems, adding to the risks already facing OT systems. Leading corporate governance codes are espousing holistic governance to ensure the sustainability of an enterprise. Certain codes such as King III from South Africa have specifically called out IT governance as a key element of a holistic governance practice. Due to the convergence between IT and OT as well as the increasing risk, the lack of governance in OT can have a material impact on the sustainability of an OT reliant enterprise, necessitating the extending of governance to cover not only IT but OT as well. The research showed that a leading IT governance framework such as COBIT 5 can be applied to OT with little or no adaptation firstly due to the closeness between IT and OT brought about by the convergence between IT and OT, and secondly due to the way that COBIT 5 has been developed to serve as an overarching governance framework that can be adapted and applied by Enterprises to suit their unique requirements, one of which could be OT governance.