By: Dave Cullen, Field CTO, OTORIO
Energy and Utility Companies are familiar with building cybersecurity compliance programs around the NERC-CIP control framework. Usually, the focus is placed on meeting the requirements of the applicable NERC-CIP controls to avoid the risk of fines. This drives the significant allocation of resources – both time (human effort) and money – in order to remain onside with regulations.
Compliance requirements have done a lot to increase awareness and drive investment, but the question remains – Does compliance guarantee that effective security is in place?
The answer is unfortunately a bit gray.
Compliance does not automatically guarantee that effective security design and posture are in place. However, compliance is the necessary foundation to build an effective security program upon. Continuing to meet compliance requirements while building a security program that is aware of gaps that regulations don’t cover is critical. In today’s competitive and regulated market a risk-informed approach will help Utilities scale their OT cybersecurity initiatives to meet both today’s and future challenges, while significantly reducing the time and cost of the overall process.
Compliance frameworks typically define what should be done, but not how to implement changes. That’s why adopting a risk-informed approach and moving beyond compliance is crucial.
Accelerated digitization and connectivity have eroded the “air gaps” that traditionally protected OT networks from external threats. Increased remote access by employees, vendors, and service providers have expanded the attack surface even more.
The critical nature of the services provided by Energy and Utility Companies drives focus on availability. Cybercriminals are well-aware of this sensitive position regarding downtime and that because of this, Energy and Utility companies are more likely to pay up.
While compliance frameworks drive awareness and action, they are typically built and refined in response to cybersecurity events and conditions. We have seen a dramatic increase in government directives and best practice recommendations in response to cyber events. The “time to action” expectation is lower than ever before. Energy and Utility Companies are now facing situations where they must comply with multiple cybersecurity policy frameworks, including NERC CIP, NIST CSF, IEC- 62443 and moreover, they continue to evolve at an unforeseen pace.
Download OTORIO’s Energy & Utility e-book to learn more.
Compliance frameworks typically define what should be done, but not how to implement changes. That’s why adopting a risk-informed approach and moving beyond compliance is crucial. Risk management is a business function. When managed correctly, it has the ability to unify OT and IT security strategies, keeping each area’s priorities in focus.
One additional important factor is context. What might work for one organization, might not work for another. Thus, energy and utility companies should have a security management plan that
aligns with their specific business objectives rather than relying on a “universal” security paradigm.
# # #
The journey towards cybersecurity maturity is not a straight line. Compliance requirements have done a lot to increase awareness and drive investment, but compliance by itself does not automatically guarantee that effective security controls are in place, configured effectively, and monitored by efficient processes.
To assist organizations in meeting their goals, OTORIO developed a proactive approach for managing digital and cyber risks. Our approach is based on four key elements:
Built around OTORIO’s groundbreaking technology, our OT security solutions cut through the noise and empower IT, security, and OT engineering teams with the relevant information required to defend their assets, environments, and networks.
Learn more by reading our Energy & Utility e-book