In the previous blogs in this series Killian O’Leary, Partner with Barden’s IT Practice took a closer look at ‘What is OT’, ‘why is it now a pressing consideration for organisations?’ and ‘OT & Digital Transformation’. Here in the third and final part of the series Killian looks at OT Security.
Why do these environments need protecting; and why are they so attractive to attackers?
So why would nation-states or terrorist organisations want to attack these environments? One answer is the impact that they can get is a lot more visible than what they can get from a corporate IT Cyber-attack.
For instance, they can break an outage with safety systems and cause people to get hurt or killed. They can also shut down the process, which impacts revenue streams (because they are now not getting the desired product levels out on time).
It could be millions of dollars within an hour of loss. But in addition to that, some of these environments are dealing with a lot of chemicals, petroleum, and things that could have environmental impacts as well.
So you can see there’s a lot of good reason that these environments need to be protected.
Emerging security frameworks do offer some solace – the IEC-62443 is really focused on how would you put controls in the right places in order to manage the particular risk.
These emerging standards (IEC-62443 and NERC CIP) are helping companies identify and mitigate key areas of risk.
Put security on the company agenda and get the basics right…
For now, the best that companies can do is to just start to get the basics right.
One of those basics would be to slow down and get a good security strategy in place.
Get some good visibility and accountability for all your devices and then determine what’s most critical and start prioritising by putting good security controls around those.
Another challenge is that typically these environments usually have lots of third parties, contractors and vendors working in them.
Therefore, controlling access and bringing visibility to who’s doing what is important.
Identify and classify the data that’s in these environments, so that you can put the appropriate security controls in place around that data.
Lacking OT security is a losing proposition for organisations. Winning strategies must leverage monitoring, access and data handling solutions to come out ahead.
OT Security – A Business Case (The Benefits, The Rationale)
A well-defined business case for automation cyber security will ensure management buy-in and long-term allocation of resources.
The first step to creating a security plan is to define a business case for OT Cyber Security. By justifying the business rationale, an organisation can reduce its cyber-risks, increase its resilience, and ensure the availability and reliability of associated systems.
Many in the OT world assume that their information technology (IT) department is handling the cyber security plan. IT professionals, who are responsible for ensuring the availability, integrity, and confidentiality of business and enterprise networks, are important members of a cross-functional team that develops and implement a utility-wide cyber security plan. However, the responsibility for protecting OT systems and networks, and the critical infrastructure they control, from a cyber security event lies with those who operate and maintain those networks.
An established cyber security business case will clearly define security roles and responsibilities for all utility personnel.
The business rationale for cyber security is based on the potential impact that a cyber security event can have on public health and safety, the environment, business continuity, emergency preparedness, regulatory compliance, and the public’s confidence in the utility.
By defining a business rationale for OT Cyber Security, executive management can define acceptable levels of risk for the utility, so that utility personnel can better understand the priorities to address in the security plan. By determining the cost-benefit aspects of security measures, the utility will get the maximum results from the money spent. Not having a well-defined security plan results is inefficient use of limited resources and can create a false sense of security.
Cyber security is not an absolute, but a matter of degree.
The challenge still remains that many still rely on legacy OT Infrastructure and trying to make these systems ‘IoT ready’ can be difficult. The ‘Operational Technology’ market worldwide is projected to grow by US$17 Billion, driven by a compounded growth of 6. 4%.
There is a growing sense that the future of OT security could be based on a Cognitive (Feed-forward) Approach.
Cognitive systems are “Self-learning systems that use AI, machine learning and human machine interactions (By Control SCADA commands / trends / history). It is more of intelligent data driven security systems”.
The possible benefits could include reduced human intervention, increased accuracy, and increased system up-time.
Looking ahead wat will the future hold when it comes to OT? Only time will tell!
To view the previous blogs in this series click the links below….
Having worked and trained with a number of international businesses, Killian moved into recruitment in 2011 and has held a number of leadership roles, both locally and nationally, since. Killian is a founding member of Barden’s IT recruitment practice, is a subject matter expert in Cyber Security (Cloud, Network, Infra, O/t) & Senior Tech careers, is a qualified and active career coach and advises CIOs and tech leadership teams on attracting and retaining world class talent. Get in touch with Killian at firstname.lastname@example.org.