In my frequent conversations with Chief Information Security Officer (CISO) clients in industrial companies across the Middle East, I find they have similar concerns to their counterparts elsewhere in the world. But there’s one issue that seems to come up more than any other. And for some CISOs, it’s keeping them awake at night.
What’s the worry? That while they’re accountable for cybersecurity across the whole company, and have a firm grip on the cyber risks to their information technology (IT) systems, there’s one important area of the business where their oversight and control are not as effective as they’d like. It’s in the plants and facilities where the operational technology (OT) resides.
The problem springs from a gradual convergence between IT and OT processes that started about 20 years ago. In those days, industrial control systems posed few cyber risks because they were mostly proprietary and isolated from the internet. However, since then the cybersecurity landscape has changed dramatically for industrial companies. As the connectivity of OT grew, both to IT and the external world, OT systems became subject to cyber-threats that were not even considered when they were designed – while a widespread expectation remained that the CISO would take the steps necessary to protect them.
For CISOs, the issue is compounded by the fact that exerting influence over what happens with OT isn’t always easy. In practical terms, OT is a totally different world from IT: the two areas of the business have different objectives, a different culture, and different personnel. Yet today’s CISOs have inherited the responsibility for maintaining cybersecurity in OT. Which means they will be accountable for the effects of any cybersecurity incidents that occur there.
that are interdependent and connected – but have limited visibility
Unfortunately, many CISOs are not in a strong position when it comes to ensuring the right steps are taken in OT from a cybersecurity standpoint. While they are empowered to prescribe, in many cases directly supported by the CEO, it’s almost always the OT leadership who have the final say on what can and cannot be implemented in their systems. The situation often plays out like this: the CISO issues a policy for OT security – and despite the policy being non-optional, the OT function pushes back. The result is an internal struggle between cybersecurity and operations in which OT has the upper hand, since nobody wants to risk the business’s operations being disrupted by a cybersecurity measure.
The effect? CISOs are accountable for risks they can’t control. The challenge is all the greater since IT/OT connectivity and the digitalisation of industrial plants under Industry X strategies, are increasingly pivotal in driving business performance. Having “intelligence everywhere” in operations boosts speed, efficiency and responsiveness, while having corporate applications able to access real-time data on OT helps companies control and progressively improve operational effectiveness. This requires connectivity across the traditional border between IT and OT. But alongside the benefits, IT/OT connectivity also raises the risk that an incident in IT – which is much more exposed to cyber threats – may jump to OT, where the potential impact is magnified by the resulting operational disruption.
At root, this isn’t only a technical issue: the technologies to protect OT are available. It’s actually a governance problem. And for many industrial companies in the region, this challenge is made more complex by their holding company structure, where cybersecurity is a central service but the implementation of security measures is left to the individual operating companies. So the responsibility for implementing any cybersecurity measures recommended by the CISO rests with the plant, and – it is important to note – is subject to constraints such industrial vendors’ views on the convenience of deploying them.
The effects can be disastrous
To visualize what all this can mean in practice, imagine this scenario. The CISO in an industrial company with operations across the Middle East has been diligent in issuing appropriate cybersecurity standards for OT, clearly defining the control measures that should be implemented. However, the company’s OT vendor pushes back against some of these controls and imposes restrictions to them. A workaround is then agreed by all parties, but it does not fully satisfy any of them.
It later emerges that the workaround was not valid, and an incident occurs. The cause? The workaround was a compromise solution agreed only after extensive and frank discussions. During those discussions, both parties tried to hold their positions without understanding the complete picture. With the two sides fighting instead of working together, the result was a solution that proved not to be effective in practice, all because of a failure to reach mutual understanding around compliance with a security requirement.
Getting governance right
The main issue triggering this sequence of events? The lack of appropriate governance, including the right organizational structure, reporting lines and definition of responsibilities for cybersecurity in OT. This weakness was then exposed by the differing objectives and priorities in the CISO’s team and the operational plants. And while the more fortunate CISOs have board support, maybe even reporting direct to the CEO, in most cases their remit in OT is limited to developing policies and verifying compliance.
This scope for the CISO role simply isn’t enough. It forces them to take a reactive approach based on dealing with incidents in OT after they occur – in turn meaning the business is running cyber risks that are much higher than they need to be. The solution lies in implementing a modern, best practice organizational and governance structure for cybersecurity encompassing both IT and OT. In my next blog post, I’ll look at what such a structure might look like. Stay tuned.
And if you’d like to discuss anything I’ve said in this blog, please get in touch. I’d love to hear from you!
Disclaimer: This content is provided for general information purposes and is not intended to be used in place of consultation with our professional advisors.