Operational Technology (OT) security is making headlines. Awareness of the topic is higher than it’s ever been. Yet we still see organizations get stuck when trying to move forward with their OT investments in people, process, and technology. Often the hurdles they face are really misconceptions about what they should do. Below are four common myths that trap organizations into inaction, and advice on how to move forward.

Myth 1: We need an asset inventory before we can do anything about OT security.

The intent behind this isn't all bad. Proponents will say "you can't protect what you can't see" which is hard to disagree with. The trouble comes when the artificial dependency is created in a way that keeps any other program development or security initiative from moving forward. In my experience, very few organizations and industries are willing to make the investment needed for a 100% complete OT asset inventory. Therefore, take what you have, make investments to improve, embrace continuous learning, and move asset inventory forward in parallel with other efforts.

<<< Start >>>

“We tried to automate purely asset management and asset inventory and we figured out one, there is no silver bullet for that. And two, that wasn’t going to get us to where we want to be.”
– Tony Souza, Director of Cyber Architecture, IT/OT Integration and TVM, Duke Energy

Watch the full discussion between Accenture’s Jason Holcomb and Duke Energy’s Tony Souza.

<<< Start >>>

Conquering complexities from OT program to OT SOC (Full Session)

View Transcript

<<< End >>>

Myth 2: We need all our OT business units to implement X technology for Y security purpose.

Too many organizations get hung up on a technical dependency, such as a specific architecture, a visibility tool, a firewall, a future operational system upgrade, or even just a ticketing system. If you wait for planetary alignment, especially in large, complex organizations, you are likely to create an artificial dependency. Be ready to accept technology diversity and heterogeneity while you make improvements.

Myth 3: We need full network and security visibility into our OT systems before we can move forward.

While we certainly advocate for as much visibility as possible, this too can be a hang-up for some organizations. Now you may be saying, "wait just a minute… we've been talking about the need for more OT visibility for years and now you're going to tell me to hold off?!” Not exactly. One security leader I spoke with who has multiple business units and a significant OT footprint shared his approach: When building our program, we looked at what could be accomplished in three years. Anything longer than that and the planning seemed too long of a horizon. This forced us to prioritize what to include and exclude, which meant some environments did not get included in the first phase of the OT visibility/asset/detection tool. But they didn't hold up the rollout to priority environments and construction of our overall OT SOC and OT security program.

Myth 4: We have no control or influence over OT systems because of <insert reasoning here>.

No organizational influence. Production operations rule the decision-making process. Our vendors won't listen to us. We have no political capital. Those systems are isolated. These are a few of the reasons we have heard for not moving forward. Many CISO organizations know that sooner or later they will be held accountable for OT security. So start building those relationships, start understanding how production operations work, start engaging with the vendors and engineering processes, and make sure you understand how your OT systems are connected. The old excuses will not survive in the end, no matter your organization’s current climate.

OT security is a complex journey and we often help our clients navigate investment prioritization --we understand not everything can be done at once and business decisions must be made along the way. Just make sure that as you navigate these decisions you don't get stuck by any of the aforementioned myths.

Need help building your OT program and OT network monitoring, detection and response strategy? Find out how our OT Cyber Fusion Center can help you test, validate and scope the right solution for your business.

Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.

Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Given the inherent nature of threat intelligence, the content contained in this article is based on information gathered and understood at the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report.

Copyright © 2021 Accenture. All rights reserved.

Jason Holcomb

Security Innovation Principal Director – OT Security, Accenture

Subscribe to Accenture's Cyber Defense Blog Subscribe to Accenture's Cyber Defense Blog