The National Critical Infrastructure Protection Center (Centro Nacional de Protección de Infraestructuras Críticas: CNPIC) and the Fundación Borredá once more came together to successfully organize for the sixth time the Congress on the Protection of Critical Infrastructure and Essential Services, helping to bring cybersecurity to wider notice. Spain’s Ministry of the Interior, Fernando Grande-Marlaska, opened the event by stressing the importance of the collaboration of operators and the need of driving cybersecurity further forward. Javier Zubieta, Marketing and Communication Manager of GMV’s Secure e-Solutions sector, took part in the panel debating the integration of the IT and OT worlds, all speakers agreeing on the importance of bringing about a real integration of both worlds, even regarding it as an obligatory need. From a technical point of view today’s IT and OT networks share many protocols, meaning they are exposed to similar threats. Reality shows that industrial networks expose data and services to Internet as well as other input vectors to a world like OT, traditionally isolated but now hyper-connected. It is therefore now crucial to tap into all security management experience built up in the IT world in order to export the best principles, practices and technologies to the OT world, given that IT/OT convergence is now an established fact.

A good start here would obviously be to set up initiatives enabling organizations “to ascertain the risks of their industrial plant by means of cyber diagnosis work”, argued Javier Zubieta. During his speech he gave three concrete examples of how cybersecurity can help in the OT world. Firstly, by bringing risk-based cybersecurity practices to OT. Secondly, encouraging industrial plant to make use of the cloud. And, thirdly, bringing out legislation like the cybersecurity-embedded Critical Infrastructure Protection Law. Fittingly, the event coincided with publication, in Spain’s official journal of new laws (BOE), of the Royal Decree Law on the security of information systems and networks (NIS Law), which obliges essential-service operators to establish minimum cybersecurity measures and reinforce public-private collaboration in this area.