The Tipping Point for OT Cybersecurity

Daniel Bren -
The Tipping Point for OT Cybersecurity
Illustration: © IoT For All

In a recovering post-pandemic world, interconnectivity and digitalization continue accelerating at an unprecedented pace. With advanced technology penetration and the interconnectedness of industrial devices, organizations are increasingly reliant on operational technology (OT) to keep their businesses running and competitive. Moreover, in many cases, these advancements have become key foundations driving new revenue streams. The next five years will be critical for industrial control systems (ICS) and OT cybersecurity. Driven by multiple factors, experts agree that a major ICS/OT cyber-attack is inevitable. Forrester analysts alarmingly have predicted that in 2023, 60 percent of all businesses will experience a major or minor OT security incident. The question is not if, but when a major ICS/OT attack will happen.

“With advanced technology penetration and the interconnectedness of industrial devices, organizations are increasingly reliant on operational technology (OT) to keep their businesses running and competitive.”

-Daniel Bren

Protecting Your Company

Taking a proactive approach to reducing risks for cyber-physical systems helps ensure that industrial manufacturing, critical, and smart infrastructure organizations maintain resilient operations. That is because a focus on reducing risks and vulnerabilities to ICS and OT cybersecurity will be far more effective than reacting after an anomaly has been detected or a security breach has occurred. By that time, the damage will already be done.

Key steps need to be taken in order to help keep your company’s operations resilient. Mainly, you need to utilize a risk-based approach to OT security and ensure that your cyber-physical systems regularly assess risks and reduce vulnerabilities to help prevent breaches that result in ransomware.

Risk-Based Approach to OT Security

The common risk-based approach to OT cybersecurity should have two elements:

  1. Identifying critical risks
  2. Making them a priority

Therefore, a risk-based approach requires skills in both risk assessment and reacting nimbly. Risk assessment skills involve several unique competencies, especially for OT security. A straightforward example is assessing an organization’s security posture, yet this crucial element is insufficient by itself.

The real challenge is correlating technical findings to their impact on the business — both financial and operational. So how do businesses assign a monetary value to each OT security finding and corresponding risk reductions they achieved by implementing different mitigations?

Driven by reality, regulatory agencies worldwide have started pushing for cyber risk governance. This requires businesses to remain up-to-date with regulatory changes. Most importantly, you need the ability to understand how compliance risks can arise from your company’s internal processes.

This includes new technology systems, third-party software and hardware solutions, and third-party service providers. Call to action – be ransomware ready. To safeguard your OT infrastructure and mitigate the risk of a cyber breach, you need to go beyond asset visibility. Let’s look at what you do to prepare for these potential threats and mature your organizational OT cybersecurity.

Three Key Steps

#1: Regular, Contextualized Assessments

You need to understand what assets are at risk in your business, and what potential damage scenarios would be if such assets were compromised.

#2: Enhance IT & OT Collaboration

One of the main challenges today is the collaborative need for IT security with on-site automation experts. Only through this collaboration can effective and efficient risk mitigation will be met. Using the proper native technology will not only automate the operation but also accelerate the maturity, hence, the preparedness.

#3: Prescriptive Mitigation

Due to the unique nature of the operational environment, many of the traditional IT-related practices (e.g., patching and non-safe scanning) are not relevant. Leveraging the power of cross-domain data analytics will enable you to automatically determine an optimal course of action.

By considering all relevant factors and available security controls, this type of analysis will not only yield recommendations for the next steps but also will provide the different practitioners with operational safe practical actions to mitigate risk.

After that enhanced risk assessment comes with the job of reacting to identified risks. As mentioned, being nimble is essential for this process to succeed. It also requires many specific abilities for the compliance program. First, the program will need the skill to implement the controls. Your organization needs the skills to validate and execute compensating controls.

To monitor progress and report compliance, the program will need evidence-based reporting dashboards and reports for internal progress, senior leadership regulators, business partners, and anyone else that your compliance program has thought through its regulatory and corporate compliance strategies.

Next Steps

Security automation is essential for operating technology safely and effectively. Cyber-physical systems are vulnerable and need to be protected. However, simply assessing vulnerabilities (asset vulnerability) or mapping assets (vulnerability mapping) is insufficient.

In order to make the best decisions about where to allocate resources for OT security, you also need to understand how effective your security controls are and how exploitable different assets are.

Only then can you make smart decisions about resource allocation to reduce critical risks. Have you designed a multi-phase plan for your OT security yet? Facing this coming reality with haste is of the utmost importance.

Author
Daniel Bren - CEO and co-founder, OTORIO

Contributors
Guest Writer
Guest Writer
Guest writers are IoT experts and enthusiasts interested in sharing their insights with the IoT industry through IoT For All.
Guest writers are IoT experts and enthusiasts interested in sharing their insights with the IoT industry through IoT For All.