Crucial yet Challenging: OT Security Assessments

21 Mar 2023

Daniel Bren, CEO

As systems become more interconnected and digitised, the threat landscape for IT-IoT-OT security continues to evolve. The need for robust OT security practices has become increasingly important to mitigate the risks of cyber threats.

Continuous ransomware readiness and OT security assessment

In today’s economy, ransomware attacks are becoming increasingly common and have caused significant disruption to business operations, financial loss, and reputational damage. Hence any organisation and particularly OT dependent should be “ransomware ready” to prepare for the potential impact of a successful ransomware attack.

Whether your organisation is part of critical infrastructure such as power plants, utilities, water treatment facilities, transportation systems, energy, oil and gas, manufacturing, or smart infrastructure, it is important to be aware of the potential consequences of a successful ransomware attack.

Discover how our oil and gas cybersecurity solution ensures operational continuity.

Such an attack can result in significant disruption, loss of productivity, harm to public safety, and damage to human health and the environment. The financial impact can also be substantial, due to system downtime, loss of productivity, and the cost of recovery efforts.

Additionally, a ransomware attack can cause reputational damage, including loss of customer trust, and may result in legal and regulatory consequences.

How Operational Technology Has Progressed

In recent years, there has been significant progress in OT (Operational Technology) cyber security regulatory action in both the US and EU. In the US, the Cybersecurity and Infrastructure Security Agency (CISA) has taken steps to improve OT cyber security, including the release of several guidelines, best practices and specific cyber security standards, such as the NIST Cybersecurity Framework. Additionally, the US Department of Energy has announced new cybersecurity requirements for electric utilities and other critical infrastructure entities.

In the EU, the EU Network and Information Systems (NIS) Directive was adopted in 2016, requiring member states to implement measures to improve cyber security for critical infrastructure operators. The directive applies to operators of essential services in critical sectors, such as energy, transport and others. Recently the NIS2 proposes updates to the existing directive, including expanding the scope to include additional sectors, such as the manufacturing and food industries, and introducing new obligations for digital service providers.

Overall, both the US, Canada and EU have been taking significant steps towards improving OT cyber security through regulatory action and standards development. This is in recognition of the growing threat posed by cyber attacks to critical infrastructure and the need for increased resilience and preparedness.

Being ransomware ready can help organisations meet these compliance requirements and avoid potential legal or financial consequences.

Additionally, ransomware readiness can be very beneficial for customers who are applying for cyber insurance as it demonstrates to insurance providers that the organisation has taken steps to minimise the risk of a ransomware attack and is better prepared to handle the aftermath of such an attack. This can reduce the overall cost of the attack, which in turn can positively impact the organisation's insurance coverage and premiums.

What does an OT risk assessment involve?

An OT cyber assessment contributes to ransomware readiness by identifying vulnerabilities in an organisation's OT systems and developing strategies to mitigate those risks. The assessment can inform the development of incident response plans specific to ransomware attacks and help organisations be better prepared for an attack. By mitigating vulnerabilities, organisations can reduce the likelihood of a successful ransomware attack and minimise the impact of an attack if one occurs.

 In conclusion, performing an OT cyber assessment is essential for organisations to identify potential security risks, meet compliance requirements, protect critical infrastructure, ensure business continuity, and gain a competitive advantage in the marketplace.

Going beyond one time assessment

The OODA loop is a decision-making model that stands for Observe, Orient, Decide, and Act. It is commonly used in military and business contexts, but also applied to cybersecurity assessments to improve the effectiveness of the assessment process.  It  is an important framework for decision-making and action in complex and rapidly changing situations.

The OODA loop is particularly important in cybersecurity because it enables organisations to respond more quickly and effectively to cyber threats.

Based on the OODA framework an OT (Operational Technology) cyber assessment report should not be treated as a one-time activity for several reasons:

  • OT systems are constantly changing and evolving.
  • New threats are continually emerging.
  • Internal policies and new regulatory compliance requirements are introduced.

In conclusion, a cybersecurity assessment report is not a one-time activity but rather a snapshot of your organisation's security posture at a particular point in time. It is essential to treat the report as a living document and continuously monitor and update your organisation's security posture based on the identified risks and recommendations.

After conducting a cybersecurity assessment, there are several actions that you should take to ensure that your organisation is adequately protected against cyber threats.

9 steps to take after an OT security assessment

1.Prioritize Risks

The cybersecurity assessment report will likely highlight several risks to your organisation's cybersecurity. Prioritising those risks based on their potential impact and likelihood of occurrence is essential in determining which risks should be addressed first. This can help you allocate resources and focus on the most critical risks first.

2.Develop an Action Plan

Based on the prioritised risks identified in the cybersecurity assessment report, you should develop a comprehensive action plan outlining the steps that you will take to address those risks. This plan should include specific actions, timelines, and responsible parties.

3.Implement Controls

Implementing the controls recommended in the cybersecurity assessment report is critical in mitigating the identified risks. These controls may include technical solutions such as firewalls, intrusion detection systems, and antivirus software, as well as procedural controls such as employee training, secure remote access controls, and incident response planning.

4.Monitor and Test

Continuous monitoring and testing are essential to ensure that the implemented controls are functioning correctly and to identify any new vulnerabilities or threats. Regularly reviewing and updating security policies and procedures can help keep your organisation's security posture current and effective.

There are some challenges when performing an OT cyber assessment:

5.Manual OT assessments

Conducting a manual OT cyber assessment can present several drawbacks, including: being time-consuming due to the complexity of OT systems and their numerous components and configurations; having a limited scope as assessors may not possess the knowledge or experience to identify all potential attack vectors or vulnerabilities, resulting in an incomplete assessment; generating inconsistent results as different assessors may use varying methodologies or possess different levels of expertise; and being challenging to track changes over time, particularly if the assessment is not adequately documented or if the system undergoes alterations between assessments, which can impede the identification of trends or progress in enhancing the system's security posture.

6.Lack of Standardisation

One of the challenges in performing an OT cyber security assessment is the lack of standardisation in the OT environment. Unlike IT systems, which have well-established standards and protocols, OT systems are often unique to each organisation, making it difficult to develop standardised assessment methodologies.

7.Complexity of OT Systems

Another challenge in performing an OT cyber security assessment is the complexity of OT systems. OT systems are often composed of many different components, including hardware, software, and network devices. These components often have different levels of security and require specialised knowledge to assess properly. Furthermore, OT systems are often interconnected with other systems, such as IT systems, which can make it challenging to identify and isolate security risks.

8.Lack of Visibility

OT systems are often distributed across multiple locations and connected to different networks, making it difficult to gain a comprehensive view of the system. This lack of visibility can make it challenging to identify potential security threats and assess the risk level of the system accurately. Additionally, OT systems often lack the necessary logging and monitoring capabilities, making it difficult to detect and respond to security events.

9.Skills Shortage

Another challenge in performing an OT cyber security assessment is the shortage of skilled cybersecurity professionals with specialised knowledge in OT security. OT systems require a different skill set than IT systems, and many cybersecurity professionals do not have the necessary expertise to assess OT systems properly. The shortage of skilled professionals can make it challenging for organisations to find the right personnel to perform an OT cyber security assessment.

Leverage an automated OT native assessment tool

An automated OT cyber assessment platform helps overcoming the challenges in several ways:

  • Continuous monitoring and assessment

An automated OT cyber assessment platform can continuously monitor and assess an organisation's OT systems, providing real-time visibility into potential risks and vulnerabilities. This continuous monitoring and assessment can help service providers avoid relying on one-time assessments, as they can stay up-to-date on the organisation's security posture and proactively identify any changes or new risks as they emerge.

  • Consistent and standardised assessments

An automated OT cyber assessment platform can provide consistent and standardised assessments across all OT systems, ensuring that all potential risks and vulnerabilities are identified and evaluated consistently. This consistency can help service providers avoid relying on one-time assessments, as they can trust that the assessment results are reliable and consistent across all systems.

  • Scalability

An automated OT cyber assessment platform can scale to assess large and complex OT systems with ease. This scalability can help service providers avoid relying on one-time assessments, as they can assess the entire OT infrastructure continuously and efficiently.

  • Data-driven insights

An automated OT risk assessment solution m can provide data-driven insights into potential risks and vulnerabilities, helping service providers identify areas for improvement and prioritize remediation efforts. These insights can help service providers avoid relying on one-time assessments, as they can continuously monitor the effectiveness of their security measures and make data-driven decisions based on real-time insights.

An OT security assessment provides value over time

An automated OT cyber assessment platform can help customers and  service providers avoid relying on one-time assessments by providing continuous monitoring and assessment, consistent and standardised assessments, scalability, and data-driven insights. These benefits can help service providers not only ensure that their clients' OT systems remain secure and resilient over time, but also optimize the return on investment (ROI) of their existing security controls, human resources, and operational security processes.


What is an example of OT security? 

An example of Operational Technology security involves the strategic implementation of network segmentation. This technique effectively isolates industrial control systems from corporate networks. By doing so, critical infrastructure components, such as those found in power plants or manufacturing facilities, are shielded from potential cyber threats that might target corporate IT systems. This proactive measure significantly reduces the risk of cyberattacks, data breaches, and unauthorized access to vital machinery and processes. Network segmentation not only safeguards the integrity and availability of essential operations but also underscores the importance of prioritizing cybersecurity in modern industrial environments.

What is the operational risk assessment process?

The Operational Risk Assessment process is a methodical approach to evaluating and managing risks within business operations. It involves several stages: identification, analysis, and mitigation. In the identification phase, potential risks are identified across various operational aspects, including processes, equipment, personnel, and external factors. Subsequently, in the analysis phase, these risks are assessed in terms of their potential impacts and likelihood of occurrence. This analysis aids in prioritizing risks for further attention. The final phase, mitigation, entails devising strategies and action plans to minimize or eliminate identified risks. By systematically going through these steps, businesses can enhance efficiency, ensure safety, and fortify financial stability by proactively addressing potential disruptions and challenges.

What is included in a security assessment?

A comprehensive security assessment encompasses a range of vital components aimed at strengthening an organization's security posture. This assessment involves identifying vulnerabilities in systems and applications that could potentially be exploited by malicious actors. Additionally, penetration testing is conducted to simulate real-world attacks and gauge the effectiveness of existing defenses. The assessment evaluates security controls in place, assessing their adequacy in preventing and mitigating risks. Moreover, potential threats are analyzed, considering both internal and external sources. Based on the assessment's findings, actionable recommendations are provided to enhance overall security, ensuring that an organization is better prepared to thwart cyber threats and safeguard its digital assets, sensitive information, and operational continuity.

About the Author

Daniel Bren, Co-Founder and CEO at OTORIO

Daniel Bren is a senior cybersecurity leader with over thirty years of cross-domain expertise in cybersecurity and SecOps. Bren Co-Founded OTORIO, an industrial-native OT security risk management platform dedicated to helping Industrial organizations and critical infrastructure reduce OT/ICS/CPS cyber risk and ensure resilient operations.