With the escalating threats to critical assets and potential adverse impact, organizations need to expand security programs to encompass cyber-physical systems. In a recent Gartner survey, security and risk leaders ranked the Internet of Things (IoT) and cyber-physical systems as their top concerns for the next three to five years. Cyber-physical systems encompasses concepts such as IoT, IIoT (Industrial Internet of Things), and ICS (Industrial Control Systems) controlling physical outcomes that are put at risk due to operational technology (OT) and information technology (IT) convergence trends.
With the need to address heightened risks and concerns of potential adverse cyber events with OT equipment, how do organizations get and keep their engineers and technicians up to speed with the latest knowledge and strategies needed to ensure industrial security? Digital safety, as we call it, is an important capability that needs to exist in industrial operations. With talent shortages and the heightened cyber risk environment to critical infrastructure and manufacturing organizations, the government, industry and organizations are adapting as quickly as possible to counter external threats.
Understanding OT security
OT and infrastructure organizations are playing catch-up compared to their IT counterparts in relation to security and cyber defense. Unfortunately, because OT operates with equipment unique to production environments; very little from IT security applies to OT. The strategies and solutions necessary to secure industrial control systems and manufacturing or critical infrastructure environments are unique when compared to traditional IT security.
Until recently, OT security had not been front and center with either focus or budget. In order to get the right level of support for OT teams, many organizations are building the case for investment dollars for training and cybersecurity solutions. Since a shortage of experienced talent and resources knowledgeable in OT industrial cybersecurity exists, most organizations outsource or contract this expertise with companies that specialize in cybersecurity for industrial environments.
Just as IT teams utilize expert resources and services through their ecosystem of partners and vendors, OT must do the same. The most efficient way for OT teams to get their engineers and technicians up to speed on the latest cybersecurity concepts and solutions for production environments is by leveraging outside training and pairing engineers and technicians with external OT cybersecurity experts.
Part of the risk with OT and IT security is that without tools to assess the complete production and network environments, many engineers and technicians will assume that they’re covered. Unfortunately, the real education sometimes comes following a breach or detrimental cyber event.
Most companies have multiple points of vulnerability and risk with their operational technology but lack the visibility to see the risk. As an example of training and insight necessary for OT environments, Velta Technology works as an extended part of the internal OT production or manufacturing team to complete a 3-week visibility study, including a Gemba walk of the plant floor. This process verifies and identifies equipment connected to the network but not always detected by a continuous monitoring platform.
Much of the cybersecurity training for engineers and technicians comes as a result of working through the process of identifying vulnerabilities and taking steps to mitigate areas of risk. Due to the complicated nature of industrial equipment and the common use of multiple external vendors to maintain industrial equipment, remote access by third parties in the supply chain poses a unique risk to OT environments. Establishing protocols and ensuring solutions are in place to identify and secure remote access by anyone outside of the network is another skill engineers and technicians must learn and oversee.
Increasing industrial threat
Due to rapid changes in the industry, risks to ICS and OT equipment, and the need for ownership and accountability of cybersecurity, changes in team structures are coming. Gartner predicts that by 2025, 50% of asset-intensive organizations such as utilities, resources and manufacturing firms will converge their cyber, physical and supply chain security teams under one chief security officer role that reports directly to the CEO.
Unlike most IT cybersecurity threats, cyber-physical threats are of increasing concern because they could have a wide range of impacts, from financial loss to loss of life. Implementing a cybersecurity maturity model is a necessity. With the shortage of experienced cybersecurity professionals and the overextended workload of most internal teams, choosing the right partner to help you get a solid cybersecurity model in place and operationalized is crucial. Assessing their approach to training and educating internal teams should be a priority with the rapid changes and lack of knowledge of cybersecurity by most internal teams.
Ensuring agreement around ownership of the security of industrial equipment on the plant floor is one of the first steps most internal teams need to tackle. A discovery session, often facilitated by experienced practitioners, with key stakeholders including the C-suite, enterprise and operational asset owners, is a valuable step to solving this initially. A tabletop discovery session facilitates alignment discussions around who owns what in the organization and the potential scenarios of risk. It can also shed light on ownership issues for security of industrial equipment on the plant floor.
Once this is tackled, you can begin the process of identifying the right partner to work with internal OT teams to secure the industrial production environments from adverse events. The reality is that most training for engineers and technicians in relation to cybersecurity will come because of either an adverse event, or because a company proactively engages a partner to work with them to secure their industrial environments. The important thing is to not wait. Don’t assume that you’re covered by cyber insurance or because someone internally assumes you’re covered or assumes you wouldn’t make a good target. Trust but verify. It’s much better to be proactive than reactive when it comes to digital safety cyber protection.