Many companies around the world with industrial operations environments, commonly referred to as operational technology (OT) environments, do not invest the same resources to protect OT systems as they do to secure their corporate enterprise environments. Yet, these same companies are investing significantly to transform these environments with modern technologies and techniques to improve productivity, become more efficient, increase worker collaboration through increased data analytics and achieve other benefits that will make the company more competitive through higher quality and cost-effective products.

Some of these new industrial process improvements include reduced latency through edge computing and 5G technologies, autonomous vehicles, robotics, cloud computing, industrial Internet of things (IIoT) devices, remote access and more. Yet, the age-old problem continues to exist whereby insufficient cybersecurity controls make these environments easy targets for cybercriminals and nation-state cyberattacks. The industrial OT environments are critical to a company’s financial well-being and, depending on what the company produces, may be essential for the functioning of the broader society and economy. A recent example is the semiconductor shortage that has impacted many companies that produce all types of electronic products, mobile phones and cars. The risk and impact of an OT attack are much higher than a cyberattack on these same companies’ corporate enterprise environment where they invest significantly today.

Most companies are taking shortcuts by looking for easy and cheap ways to protect their OT environments. This typically involves the purchase of OT intrusion detection system (IDS) technology that can help with device discovery, network visualization, some type of signature-based malware detection and device vulnerabilities. This is a good start, but this type of solution is far from a comprehensive security program that is required to mitigate the company’s risk from a broad set of OT threats.

In the corporate enterprise environment where companies have been investing in mature cybersecurity programs, a one-tool approach would be considered laughable and certainly would fail any compliance audit. So why are companies reluctant to invest in protecting their critical OT environments?

  1. Lack of governance: Companies have not established the roles and responsibilities for OT security. This is a critical step, and the trend is to assign the chief information security officer (CISO) this responsibility. This is because the CISO understands what a good security program requires. The CISO may not understand the OT environment, but this has not proven to be a significant issue.
  2. Lack of a quantitative risk assessment: Why quantitative? Because the business stakeholders will quickly support the need to invest in a cybersecurity program once they realize the financial impact to the business should they be unlucky enough to be attacked.
  3. Document “current state”: OT IDS products help with this activity but will not do it all. What type of insight do you need? You need a perspective on:
    1. People: Who needs access to the OT environment? Who already has access? How is this access managed? Is remote access common?
    2. Process: What are the industrial operations processes? What technologies support these processes? What processes are changing due to new digital transformation strategies?
    3. Technologies: Which devices support which industrial processes? Are there OT assets that are not connected to an IP network? How will these be protected? This inventory will be valuable for lots more than just security. For example, consideration should be given to integrating the OT device details into the company’s asset management system.
    4. Network Architecture: How is the network designed? Are leading practice security principles incorporated into the design? Many companies are digitally transforming their network infrastructure and leveraging 5G and WiFi. With OT original equipment vendors adding more industrial IoT capabilities to their new products, this should be a consideration and included in the security strategy.
    5. Threat Assessment: Which threats are relevant and which are not? It is very important to identify the threats that are relevant so that an effective and efficient security program can be developed to mitigate the risks.
    6. Vulnerability Assessment: What vulnerabilities exist currently? Are there associated controls in place to prevent the vulnerability from being exploited in a cyberattack?
    7. Data Discovery and Classification: What data is being produced and transmitted from the industrial environment? If you do not know, then data discovery, classification and protection must be added to the strategy and plan.
  4. Lack of an OT security strategy and plan: Once you understand the current environment, it is time to develop a cybersecurity strategy and plan to mitigate the risk of a cyberattack. This step seems logical, but it cannot be completed effectively without the first three steps. The quantitative risk assessment results establish the priorities. The plan should include techniques to continuously maintain visibility into all the areas referenced in step 3. It must have preventative controls put into place to protect known vulnerabilities. Finally, there must be solutions included to monitor the controls to make sure they are operating effectively. If they are not, there must be solutions to identify when a cyberattack is exploiting a vulnerability so that you can quickly respond to mitigate any impact to the business and quickly return to business as usual.

It is time that companies with OT environments start investing in their OT security programs. It will not be cheap or easy, so you should consider leveraging a trusted systems integrator with OT security experience.

More from Risk Management

The Role of Finance Departments in Cybersecurity

Consumers are becoming more aware of the data companies collect about them, and place high importance on data security and privacy. Though consumers aren’t aware of every data breach, they are justifiably concerned about what happens to the data companies collect. A recent study of consumer views on data privacy and security revealed consumers are more careful about sharing data. The majority of respondents (87%) say they wouldn’t do business with companies that appear to have weak security. Study participants also…

What Does a Network Security Engineer Do?

Cybersecurity is complex. The digital transformation, remote work and the ever-evolving threat landscape require different tools and different skill sets. Systems must be in place to protect endpoints, identities and a borderless network perimeter. The job role responsible for handling this complex security infrastructure is the network security engineer. In a nutshell, the network security engineer is the person who is responsible for the design and implementation of the organization’s security system, ensuring there are no gaps or vulnerabilities for…

The Importance of Modern-Day Data Security Platforms

Data is the backbone of businesses and companies everywhere. Data can range from intellectual property to critical business plans to personal health information or even money itself. At the end of the day, businesses are looking to grow revenue, innovate, and operationalize but to do that, they must ensure that they leverage their data first because of how important and valuable it is to their organization. No matter the industry, the need to protect sensitive and personal data should be…

What is Reverse Tabnabbing and What Can You Do to Stop It?

Tabnabbing is a phishing method in which attackers take advantage of victims’ unattended browser tabs. After hijacking an inactive tab and redirecting it to malicious URLs, an attacker can perform a phishing attack and execute scripts. With reverse tabnabbing, on the other hand, attackers can actually rewrite the source page after a victim clicks a malicious link. Usually, this means replacing a source page with a phishing site before the victim navigates back to that original tab. Here, the redirection…