It’s important for businesses to ask the right questions when it comes to their digital safety and cybersecurity. Information technology (IT) security needs, by definition, fall to IT departments. However, security needs related to operational technology (OT) are often left unattended. OT is the most essential element of any manufacturing plant. Properly protecting it is a worthwhile investment to keep business operations online and running smoothly. Doing so sometimes means changing the culture within an organization to one that constantly and inherently prioritizes OT security and digital safety.
“IT/OT convergence is a message we hear an awful lot about in the field, but in practice, IT and OT are like oil and water,” said Dino Busalachi, co-founder and chief technology officer of Velta Technology. “It’s true that IT needs to be involved in the process. They need to be on the field and in the huddle, but they cannot be expected to be the quarterback of your OT cybersecurity gameplan.”
Common missteps in OT security
Many companies assume their IT team is handling OT security when in reality IT is ill-equipped and lacks the knowledge and toolsets to safeguard this vital equipment. Businesses that are over-reliant on IT teams to fortify OT security put themselves at risk of lost data, costly downtime and physical safety hazards.
It can be a costly mistake to assume IT departments and OT engineers are collaborating or have similar cybersecurity objectives. Other common missteps often seen involving industrial assets include:
- Trusting cyber insurance to provide risk protection when something eventually goes wrong.
- Expecting staff to assume cybersecurity and digital safety responsibilities on top of their existing responsibilities.
- Underestimating employee skillsets and the tools necessary to protect the business from cyber intrusion attempts that are becoming increasingly sophisticated.
- Lacking visibility or the ability to keep watch over the various security components of industrial control systems.
Questions the C-suite should ask about OT security
To determine where a company stands in terms of their OT security, C-suite executives must ask themselves a series of critical questions to identify gaps and vulnerabilities:
- Do we have an easy way to pull an accurate, up-to-date inventory list of our connected plant floor assets and vulnerabilities?
- Are we protecting our industrial environments with the same rigor as our enterprise/IT environments?
- Who ultimately bears responsibility for protecting our industrial assets from cyber threats?
- How do the recent changes in cybersecurity insurance affect our coverage and risk-mitigation strategies?
- Are we protecting value within the company as much as we are creating value for it?
Answering these questions provides a deeper understanding about which specific security measures are needed to better inform decision making about what to do next.
“C-suite executives need to look at their asset networks and determine if they are applying the necessary due diligence to thwart cybercrime and prevent OT mishaps,” said Craig Duckworth, president and co-founder of Velta Technology. “If they’re falling short in this critical area, they need to be prepared to deal with consequences that could stem from an OT system breach or shutdown. Cybercrime is still on the rise, and OT is an area that is more frequently being targeted.”
If a company falls victim to a breach, it could involve both digital and physical risks. For example, if a business specializes in the chemical treatment of wastewater, a cyberattack shutdown could stop the line, leave chemical substances in limbo and create a serious health hazard.
Businesses that rely on a continuous, uninterrupted supply chain should take extra precautions to protect themselves. As the COVID-19 pandemic has starkly demonstrated, supply chains are often the weakest link between product fulfillment and missed delivery deadlines. OT security oversight can go a long way toward ensuring shipments complete a successful and timely trek from point A to point B.
Why the C-suite needs to take action on OT cybersecurity
It’s evident that CEOs can no longer turn a blind eye to OT security. According to a Gartner report, it is anticipated that 75% of CEOs will be held personally liable for cybersecurity incidents by 2024. Thought Lab Group says an increase in attacks from social engineering and ransomware is likely as nation-states and cybercriminals become more commonplace. These attacks target weak spots primarily caused by software misconfigurations, human error, poor maintenance and unknown assets.
With an $8 trillion price tag associated with the global cost of cybercrime, it behooves C-suite executives to take action on the OT front. This leaves CEOs four options:
- Identify OT cybersecurity risks and build capabilities to address them.
- Replace all industrial systems and equipment with the latest versions.
- Backtrack and disconnect all industrial systems from external activity.
- Do nothing and assume all risks as acceptable.
“In order to properly secure and glean greater visibility into OT assets, these conversations must take place on a broader scale within the organization,” Busalachi said. “Investing in OT teams at the center of this effort is a crucial step in the journey toward complete digital safety for industrial environments. Conducting a tabletop exercise or inquiring about a CDV index are great places to start.”
In the same Thought Lab survey, 29% of CEOs and CISOs, and 40 percent of chief security officers, admitted they felt their organizations were unprepared to handle a future landscape full of rapidly changing cyber threats. By prioritizing and investing in digital security, CEOs can establish a proactive posture rather than simply being reactive to these needs as they arise.
“OT engineers understand these dynamics but cannot be expected to take on cybersecurity for an entire plant floor, unless they have an allotted budget and there’s buy-in and support from the very top of the organization,” Busalachi said. “At the end of the day, the solution boils down to ownership. And until organizations start having internal conversations where peer groups are actively participating in all things related to industrial control system security, then this IT/OT convergence we hear so much about is nothing more than a fantasy land.”
Do you have experience and expertise with the topics mentioned in this article? You should consider contributing content to our CFE Media editorial team and getting the recognition you and your company deserve. Click here to start this process.