To date in my series of blog posts exploring the challenges and opportunities around cybersecurity in operational technology (OT), I've provided many thoughts and perspectives for Chief Information Security Officers (CISOs) to bear in mind when addressing this fast-growing area of risk. Looking across the series, what overarching messages emerge? In my view, two in particular shine through.
The first is that ongoing IT/OT convergence means OT cybersecurity is now a part of their organization's landscape that no CISO can afford to ignore. The second is that technology tools, techniques, and organizational structures are now readily available to enable CISOs to secure OT against damaging attacks – effectively bringing it the same level of protection as IT.
But where to start, and what route to take? Drawing on my previous blogs, here's a brief guide summarising the CISO's five-stage journey to effective cybersecurity in OT.
Step 1: Acknowledge the challenges of a converging IT/OT landscape
The first step is to accept the need for action. CISOs are responsible for cybersecurity across their entire company, and are fully on top of the threats to their IT estate. But when it comes to the plants and facilities where OT resides, their oversight and control are less effective. And while that situation has existed for many years, it's now becoming a serious problem.
Why? In the past, OT systems were mostly proprietary and isolated from the internet, meaning they posed few cyber risks. Fast-forward to today and the landscape has changed dramatically. As the connectivity of OT has grown, both to internal IT and the external world, OT systems have become vulnerable to cyber-threats that weren't even considered when they were designed. Yet OT security is regarded as within the CISO's ambit – even though it's the OT leadership who decide what can be implemented in their systems.
The effect is that CISOs are accountable for risks they can't control. And these risks are increasing, as companies implement Industry X strategies that improve operational effectiveness by enabling corporate applications to access real-time OT data. While this rising IT/OT connectivity brings major benefits, it also raises the risk that an incident in IT may jump to OT, creating potentially catastrophic operational disruption.
As CISOs face up to this risk, the good news is that technologies to protect OT are readily available. But in reality, the challenge isn't primarily around technology: It's mostly a governance problem. Which is why the second step on the route to securing OT is to implement effective OT security governance.
This is often made more difficult by some embedded barriers. One is that the company depends directly on operational leadership to make most of its money, meaning they're highly influential in decision-making. Another is that since operational leaders are accountable for anything that goes wrong with OT, they tend to be quite protective of their OT systems, and don't want other teams to make changes to them. What's more, OT teams often distrust cybersecurity measures imposed by IT, and lack specialist cybersecurity skills.
How to overcome these barriers? By putting robust governance in place – starting with giving the CISO a seat at the top table, reporting directly to the CEO. It's also a good idea to create a formal governance body bringing together all the parties involved in OT security. Another positive move is to create a community of practice, enabling people at different levels to discuss OT cybersecurity and helping to unearth 'hidden' talent. Many companies also engage with an independent, trusted cybersecurity advisory firm that can work across IT and OT.
Step 3: Adopt an impact-based approach to assessing cyber risks
With the right governance in place, it's time to zero in on the actual risks, by adopting a fresh approach to assessing and managing cyber threats to OT. This means moving away from the traditional methodologies based on the defining scenarios and assigning the probability of them occurring, and instead applying an approach that assumes an adverse event will materialize at some point.
The effect? Instead of calculating the probability of an event and then its impact, the assessment establishes how well-prepared each of the organization's systems is to minimize the impact and recover promptly if and when that event arises. The level of preparedness can be determined by defining a target cybersecurity posture for each system based on applicable industry standards.
The posture for each system can be underpinned by a baseline of security controls that reflect the potential impact of an incident involving it. The result is a tiered approach – one where key safety systems have the maximum level of protection, while ancillary systems that would cause less impact may have only the basic security measures.
Step 4: Extend zero-trust architecture (ZTA) concepts to OT
The OT cyber risk assessment and approach can be further enhanced by applying zero-trust architecture (ZTA) concepts to OT. Traditional cybersecurity methodologies assume that networks within an organization's perimeter are secure. By contrast, with ZTAs no resource inside or outside the perimeter is trusted, and every device, user, service and application is considered non-trustworthy until proven otherwise. So communications between them are tightly controlled, and every session must be mutually authenticated between endpoints.
ZTAs are commonly used in complex IT environments. But implementing them in OT environments is more complex, since these often contain legacy industrial technologies unable to meet ZTA's authentication and security demands. Also, even a small delay created by authentication in OT can negatively impact production. However, more positively, OT environments tend to be more stable than IT in terms of the number and type of devices.
These factors need to be taken into account when implementing ZTA in OT. In brownfield environments, it's vital to have proper asset management and inventory, which can help to identify deviations from ZTA principles and trigger investigations. In greenfield sites, introducing ZTA principles during the design phase enables the selection of OT devices that comply with ZTA.
The steps I've set out above will help organization to bridge the traditional cybersecurity divide between IT and OT. However, the full benefits will not be realized without an incident response capability that can act across both areas. Ideally, there should be no distinct incident response (IR) for OT – just a single IR capability in which IT and OT operate cooperatively and simultaneously. But while this is ideal in theory, it's complicated to achieve in practice.
Why? In many organizations, the IT and OT teams have different objectives. Partly as a result, the business doesn't have a single Security Operations Center (SOC) covering both IT and OT. Instead, they maintain an IT SOC that – when called upon to act in the OT environment – relies on some capabilities provided by the OT organization. But IT/OT convergence means this siloed approach is no longer fit for purpose. What's needed is a unified IR process based on five elements:
Collaboration between IT and OT teams, using a common, shared process throughout.
Cross-training of IT and OT security teams, so they understand each other's challenges.
Understanding of the OT environment, with an up-to-date inventory of OT assets and their cyber exposures.
Creation of a security baseline with solutions specifically designed for the OT environment.
A 'test and evolve' approach, ensuring IR plans are tested and refined before being executed.
A further useful action is to prepare OT-specific IR playbooks, with clear guidance and pre-approved actions and authorizations. Finally, the organization should develop a full IR plan, coordinating with internal business units and external vendors, suppliers and other partners to identify optimum recovery strategies. Then when incidents occur and lessons are learned, the company should conduct regular exercises to test out new approaches drawing on those lessons.
Bringing OT under the CISO's cybersecurity umbrella
For industrial companies across the Middle East and worldwide, the steps I've described to address cybersecurity risks in OT are not optional. They're imperative. As the traditional IT/OT divide blurs and cyber threats to all connected devices and equipment continue to grow, companies that fail to adequately protect their OT are putting their very future at risk. So it's time for the CISO to seize the initiative – and establish visibility and control over OT.
If you'd like to discuss anything I've said, please get in touch. I'd love to hear your views!
Disclaimer: This content is provided for general information purposes and is not intended to be used in place of consultation with our professional advisors.
Managing Director – Technology, Cybersecurity Energy Lead, Middle East