By Daniel Bren, CEO & Co-founder
As we enter 2023, it's important to examine your organization’s approach to OT security. Having an effective security plan for your organization’s cyber-physical systems and related OT security professionals is an important and timely New Year’s resolution.
Every day the media describes how Advanced Persistent Threat (APT) actors (criminal and nation-state proxies) continue to attempt cyber-attacks against critical infrastructure and industrial manufacturing. In 2022 we witnessed APTs that demanded ransomware, and — along with nation-state entities — harmed business operations, wreaked havoc on operational environments, and dramatically impacted supply chain security.
That’s why having an effective OT security plan in place for your organization and its security professionals is an essential New Year’s resolution. Now more than ever, organizations that rely on operational technology must effectively safeguard their OT environments, maintain operational resilience, and enhance their security posture for the coming year.
Here are four steps you should take to help keep your company’s operations resilient in 2023. First and foremost, foster OT cybersecurity awareness among your business unit owners. Second, utilize a risk-based approach to OT security. Third, be sure that your OT and cyber-physical systems regularly assess risks and reduce vulnerabilities to help prevent breaches that lead to downtime and ransomware demands. Finally, follow rapidly-evolving regulatory and organizational compliance requirements.
While OT cybersecurity awareness is key, not enough attention has been placed on calls to action. ICS security is not just about technology; it is also about business continuity. The first challenge that organizations face is making business unit owners aware that they must not only budget for OT security, they must also be active risk mitigation partners with their IT and OT security practitioners.
How should management and security practitioners counsel their business owner colleagues with informative, positive awareness about the impact and importance of OT security? One common approach is using a “fear strategy” to motivate awareness, but this approach will only take you so far, especially when you want to support your team’s mitigation efforts.
Therefore, developing sustainable OT security awareness with business owners calls for a different approach.
The second New Year’s resolution is to utilize a risk-based approach to OT cybersecurity comprising two elements: identifying critical risks and making them a high priority. A risk-based approach therefore requires both risk assessment skills and the ability to react nimbly. Risk assessment skills for OT security involve several unique competencies, including assessing an organization’s security posture, but this crucial element is insufficient on its own.
The real challenge lies in correlating technical findings about security risks and vulnerabilities with their potential financial and operational impact on your business. How do businesses assign a monetary value not only to each OT security finding, but also to every corresponding risk reduction achieved by mitigating security gaps, particularly critical, high-priority ones?
After enhanced risk assessment comes the task of managing identified risks. Again, being ‘nimble’ is essential for this process to succeed. It also requires many specific abilities on the part of your organization’s compliance program. The program will need the skills to implement the controls, and your organization needs the skills to validate and execute compensating controls.
Once again, the purpose of using a risk-based approach is to identify priorities. When teams and individuals reasonably ask, “Why are we doing this?” clear and precise compliance reports will provide the answers.
To monitor progress and report compliance, your risk-based assessment program will need evidence-based reporting dashboards and reports for internal progress, senior leadership regulators, business partners, and anyone else involved in your compliance program’s regulatory and corporate compliance strategies.
Driven by reality, regulatory agencies worldwide have started implementing and pushing for cyber risk governance. This requires businesses to remain up-to-date with regulatory changes. Whether new regulations will affect your business or existing ones will become higher enforcement targets, organizations cannot afford to treat such newly enacted legislation as low a priority.
Whether you are a North American electric utility or a European-based industrial manufacturer whose products are deemed essential (e.g., pharmaceuticals), in 2023 we will see more OT cybersecurity regulations put into effect across the U.S., Canada, and Europe.
As highlighted above, organizations continue to implement and enhance their internal corporate compliance policies to reduce internal risks. These organization-wide policies help teams stay informed and vigilant about issues like phishing risks, secure remote access, authorized access, and more.
To safeguard your OT infrastructure and mitigate the risk of cyber breaches that can lead to ransomware and downtime, you need to go beyond asset visibility. What can you do to prepare for these risks and mature your organizational OT security? Technology plays an integral part, but it's not enough.
It’s essential to design the required operational security processes and skill sets. Since risks are imminent and OT security practitioners are hard to come by, choosing the right technology and implementation partner can accelerate the design process and skill set that IT and operational security practitioners must develop.
Here are three key steps:
OTORIO has extensive global experience enabling industrial manufacturing, critical infrastructure, smart transit and logistics organizations to implement comprehensive security for OT and cyber-physical systems by utilizing our RAM2 solution. Clients integrate this OTORIO operational technology security platform for risk-based assessment, monitoring, and management of security gaps and vulnerabilities. They benefit from the expertise of our partners and OTORIO’s professional services team.
Contact us to see how we can help you set and keep your 2023 OT security New Year’s resolutions.