Many companies around the world with industrial operations environments, commonly referred to as operational technology (OT) environments, do not invest the same resources to protect OT systems as they do to secure their corporate enterprise environments. Yet, these same companies are investing significantly to transform these environments with modern technologies and techniques to improve productivity, become more efficient, increase worker collaboration through increased data analytics and achieve other benefits that will make the company more competitive through higher quality and cost-effective products.

Some of these new industrial process improvements include reduced latency through edge computing and 5G technologies, autonomous vehicles, robotics, cloud computing, industrial Internet of things (IIoT) devices, remote access and more. Yet, the age-old problem continues to exist whereby insufficient cybersecurity controls make these environments easy targets for cybercriminals and nation-state cyberattacks. The industrial OT environments are critical to a company’s financial well-being and, depending on what the company produces, may be essential for the functioning of the broader society and economy. A recent example is the semiconductor shortage that has impacted many companies that produce all types of electronic products, mobile phones and cars. The risk and impact of an OT attack are much higher than a cyberattack on these same companies’ corporate enterprise environment where they invest significantly today.

Most companies are taking shortcuts by looking for easy and cheap ways to protect their OT environments. This typically involves the purchase of OT intrusion detection system (IDS) technology that can help with device discovery, network visualization, some type of signature-based malware detection and device vulnerabilities. This is a good start, but this type of solution is far from a comprehensive security program that is required to mitigate the company’s risk from a broad set of OT threats.

In the corporate enterprise environment where companies have been investing in mature cybersecurity programs, a one-tool approach would be considered laughable and certainly would fail any compliance audit. So why are companies reluctant to invest in protecting their critical OT environments?

  1. Lack of governance: Companies have not established the roles and responsibilities for OT security. This is a critical step, and the trend is to assign the chief information security officer (CISO) this responsibility. This is because the CISO understands what a good security program requires. The CISO may not understand the OT environment, but this has not proven to be a significant issue.
  2. Lack of a quantitative risk assessment: Why quantitative? Because the business stakeholders will quickly support the need to invest in a cybersecurity program once they realize the financial impact to the business should they be unlucky enough to be attacked.
  3. Document “current state”: OT IDS products help with this activity but will not do it all. What type of insight do you need? You need a perspective on:
    1. People: Who needs access to the OT environment? Who already has access? How is this access managed? Is remote access common?
    2. Process: What are the industrial operations processes? What technologies support these processes? What processes are changing due to new digital transformation strategies?
    3. Technologies: Which devices support which industrial processes? Are there OT assets that are not connected to an IP network? How will these be protected? This inventory will be valuable for lots more than just security. For example, consideration should be given to integrating the OT device details into the company’s asset management system.
    4. Network Architecture: How is the network designed? Are leading practice security principles incorporated into the design? Many companies are digitally transforming their network infrastructure and leveraging 5G and WiFi. With OT original equipment vendors adding more industrial IoT capabilities to their new products, this should be a consideration and included in the security strategy.
    5. Threat Assessment: Which threats are relevant and which are not? It is very important to identify the threats that are relevant so that an effective and efficient security program can be developed to mitigate the risks.
    6. Vulnerability Assessment: What vulnerabilities exist currently? Are there associated controls in place to prevent the vulnerability from being exploited in a cyberattack?
    7. Data Discovery and Classification: What data is being produced and transmitted from the industrial environment? If you do not know, then data discovery, classification and protection must be added to the strategy and plan.
  4. Lack of an OT security strategy and plan: Once you understand the current environment, it is time to develop a cybersecurity strategy and plan to mitigate the risk of a cyberattack. This step seems logical, but it cannot be completed effectively without the first three steps. The quantitative risk assessment results establish the priorities. The plan should include techniques to continuously maintain visibility into all the areas referenced in step 3. It must have preventative controls put into place to protect known vulnerabilities. Finally, there must be solutions included to monitor the controls to make sure they are operating effectively. If they are not, there must be solutions to identify when a cyberattack is exploiting a vulnerability so that you can quickly respond to mitigate any impact to the business and quickly return to business as usual.

It is time that companies with OT environments start investing in their OT security programs. It will not be cheap or easy, so you should consider leveraging a trusted systems integrator with OT security experience.

More from Risk Management

Most organizations want security vendor consolidation

4 min read - Cybersecurity is complicated, to say the least. Maintaining a strong security posture goes far beyond knowing about attack groups and their devious TTPs. Merely understanding, coordinating and unifying security tools can be challenging.We quickly passed through the “not if, but when” stage of cyberattacks. Now, it’s commonplace for companies to have experienced multiple breaches. Today, cybersecurity has taken a seat in core business strategy discussions as the risks and costs have risen dramatically.For this reason, 75% of organizations seek to…

How IBM secures the U.S. Open

2 min read - More than 15 million tennis fans around the world visited the US Open app and website this year, checking scores, poring over statistics and watching highlights from hundreds of matches over the two weeks of the tournament. To help develop this world-class digital experience, IBM Consulting worked closely with the USTA, developing powerful generative AI models that transform tennis data into insights and original content. Using IBM watsonx, a next-generation AI and data platform, the team built and managed the entire…

How NIST Cybersecurity Framework 2.0 Tackles Risk Management

4 min read - The NIST Cybersecurity Framework 2.0 (CSF) is moving into its final stages before its 2024 implementation. After the public discussion period to inform decisions for the framework closed in May, it’s time to learn more about what to expect from the changes to the guidelines. The updated CSF is being aligned with the Biden Administration’s National Cybersecurity Strategy, according to Cherilyn Pascoe, senior technology policy advisor with NIST, at the 2023 RSA Conference. This sets up the new CSF to…

Why consumer drones represent a special cybersecurity risk

3 min read - Cybersecurity staff at an East Coast financial services company last summer detected unusual activity on its internal Atlassian Confluence page originating inside the company’s network. The MAC address used locally belonged to an employee known to be currently using the same MAC address remotely, according to a security specialist named Greg Linares, who had secondhand information about the attack. So, the team used a Fluke AirCheck Wi-Fi Tester device to identify the device logged in, which led the team to…