Many companies around the world with industrial operations environments, commonly referred to as operational technology (OT) environments, do not invest the same resources to protect OT systems as they do to secure their corporate enterprise environments. Yet, these same companies are investing significantly to transform these environments with modern technologies and techniques to improve productivity, become more efficient, increase worker collaboration through increased data analytics and achieve other benefits that will make the company more competitive through higher quality and cost-effective products.

Some of these new industrial process improvements include reduced latency through edge computing and 5G technologies, autonomous vehicles, robotics, cloud computing, industrial Internet of things (IIoT) devices, remote access and more. Yet, the age-old problem continues to exist whereby insufficient cybersecurity controls make these environments easy targets for cybercriminals and nation-state cyberattacks. The industrial OT environments are critical to a company’s financial well-being and, depending on what the company produces, may be essential for the functioning of the broader society and economy. A recent example is the semiconductor shortage that has impacted many companies that produce all types of electronic products, mobile phones and cars. The risk and impact of an OT attack are much higher than a cyberattack on these same companies’ corporate enterprise environment where they invest significantly today.

Most companies are taking shortcuts by looking for easy and cheap ways to protect their OT environments. This typically involves the purchase of OT intrusion detection system (IDS) technology that can help with device discovery, network visualization, some type of signature-based malware detection and device vulnerabilities. This is a good start, but this type of solution is far from a comprehensive security program that is required to mitigate the company’s risk from a broad set of OT threats.

In the corporate enterprise environment where companies have been investing in mature cybersecurity programs, a one-tool approach would be considered laughable and certainly would fail any compliance audit. So why are companies reluctant to invest in protecting their critical OT environments?

  1. Lack of governance: Companies have not established the roles and responsibilities for OT security. This is a critical step, and the trend is to assign the chief information security officer (CISO) this responsibility. This is because the CISO understands what a good security program requires. The CISO may not understand the OT environment, but this has not proven to be a significant issue.
  2. Lack of a quantitative risk assessment: Why quantitative? Because the business stakeholders will quickly support the need to invest in a cybersecurity program once they realize the financial impact to the business should they be unlucky enough to be attacked.
  3. Document “current state”: OT IDS products help with this activity but will not do it all. What type of insight do you need? You need a perspective on:
    1. People: Who needs access to the OT environment? Who already has access? How is this access managed? Is remote access common?
    2. Process: What are the industrial operations processes? What technologies support these processes? What processes are changing due to new digital transformation strategies?
    3. Technologies: Which devices support which industrial processes? Are there OT assets that are not connected to an IP network? How will these be protected? This inventory will be valuable for lots more than just security. For example, consideration should be given to integrating the OT device details into the company’s asset management system.
    4. Network Architecture: How is the network designed? Are leading practice security principles incorporated into the design? Many companies are digitally transforming their network infrastructure and leveraging 5G and WiFi. With OT original equipment vendors adding more industrial IoT capabilities to their new products, this should be a consideration and included in the security strategy.
    5. Threat Assessment: Which threats are relevant and which are not? It is very important to identify the threats that are relevant so that an effective and efficient security program can be developed to mitigate the risks.
    6. Vulnerability Assessment: What vulnerabilities exist currently? Are there associated controls in place to prevent the vulnerability from being exploited in a cyberattack?
    7. Data Discovery and Classification: What data is being produced and transmitted from the industrial environment? If you do not know, then data discovery, classification and protection must be added to the strategy and plan.
  4. Lack of an OT security strategy and plan: Once you understand the current environment, it is time to develop a cybersecurity strategy and plan to mitigate the risk of a cyberattack. This step seems logical, but it cannot be completed effectively without the first three steps. The quantitative risk assessment results establish the priorities. The plan should include techniques to continuously maintain visibility into all the areas referenced in step 3. It must have preventative controls put into place to protect known vulnerabilities. Finally, there must be solutions included to monitor the controls to make sure they are operating effectively. If they are not, there must be solutions to identify when a cyberattack is exploiting a vulnerability so that you can quickly respond to mitigate any impact to the business and quickly return to business as usual.

It is time that companies with OT environments start investing in their OT security programs. It will not be cheap or easy, so you should consider leveraging a trusted systems integrator with OT security experience.

More from Risk Management

Ransomware payouts hit all-time high, but that’s not the whole story

3 min read - Ransomware payments hit an all-time high of $1.1 billion in 2023, following a steep drop in total payouts in 2022. Some factors that may have contributed to the decline in 2022 were the Ukraine conflict, fewer victims paying ransoms and cyber group takedowns by legal authorities.In 2023, however, ransomware payouts came roaring back to set a new all-time record. During 2023, nefarious actors targeted high-profile institutions and critical infrastructure, including hospitals, schools and government agencies.Still, it’s not all roses for…

GenAI: The next frontier in AI security threats

3 min read - Threat actors aren’t attacking generative AI (GenAI) at scale yet, but these AI security threats are coming. That prediction comes from the 2024 X-Force Threat Intelligence Index. Here’s a review of the threat intelligence types underpinning that report.Cyber criminals are shifting focusIncreased chatter in illicit markets and dark web forums is a sign of interest. X-Force hasn’t seen any AI-engineered campaigns yet. However, cyber criminals are actively exploring the topic. In 2023, X-Force found the terms “AI” and “GPT” mentioned…

How will the Merck settlement affect the insurance industry?

3 min read - A major shift in how cyber insurance works started with an attack on the pharmaceutical giant Merck. Or did it start somewhere else?In June 2017, the NotPetya incident hit some 40,000 Merck computers, destroying data and forcing a months-long recovery process. The attack affected thousands of multinational companies, including Mondelēz and Maersk. In total, the malware caused roughly $10 billion in damage.NotPetya malware exploited two Windows vulnerabilities: EternalBlue, a digital skeleton key leaked from the NSA, and Mimikatz, an exploit…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today