Yair Attar, Co-founder and CTO, OTORIO
A recent report by Gartner predicts 75% of CEOs will be personally liable for cyber-physical security incidents by 2024. The report, written by Katell Thielemann, research vice president at Gartner, also claims that organizations must focus on ORM – or operational resilience management - beyond information-centric cybersecurity.
ORM Means Anticipating, Preventing and Recovering from Adverse Events
Operational Resilience Management, or ORM, refers to the ability of organizations and processes to adapt to adversity. Operational Resilience Management (ORM) is the science and art of ensuring business continuity in the face of such adversity.
The watchword for ORM stakeholders should be “bend, don’t break.” In other words, ORM is about adaptability. It’s the art of anticipating, preventing, recovering from adverse events, and adapting to avoid similar events in the future – all without interrupting or compromising business continuity.
ORM touches the entire enterprise – affecting people, processes, and systems. With such a broad mandate, it’s no surprise that ORM represents a unique trans-organizational challenge, especially as the lines between digital and physical systems blur.
The wave of digitalization sweeping across organizations of all types – most notably industrial organizations – has given rise to a new category of systems that are considered critical for business continuity: Cyber Physical Systems (CPS). Gartner claims that CPS represents “the convergence of IT, OT, IoT and physical assets,” and that its emergence is driving a new, more holistic industrial security paradigm.
In this paradigm, the physical machines that power an industrial enterprise and the digital systems that drive them need to be regarded as equally vulnerable. This, of course, is why organizations are seeking solutions that manage disparate security elements holistically…but we’ll touch on that later.
The question is, how does this evolution impact ORM? Operational and maintenance teams are long familiar with operational resilience, and are generally the in-house experts on the APM and CMMS systems that currently govern ORM efforts. Now, along come CPS systems, and ORM suddenly looks a lot different. All of a sudden, ORM includes OT Security – and the ORM ownership game has changed radically.
Drill Down: What Does ORM Entail?
CPS ORM requires ORM stakeholders to take a different, more holistic and decidedly digital/physical perspective on operational resilience. Here’s how we see the CPS ORM process in 9 steps. You’ll notice that from Step 6, things start to diverge significantly from traditional ORM models…
Back to the Gartner report mentioned above. It claims that “A focus on ORM – or operational resilience management - beyond information-centric cybersecurity is sorely needed.” But in traditional ORM scenarios, operational teams have been the ORM process owners – and with good reason: these are the people that have their boots on the ground of day-to-day operations, and have a deep understanding of the business impact of resilience.
So who needs to own ORM going forward? The answer is clear. It is the people who are in charge of production operations. They are the ones with an understanding of both the processes and the business impact of every risk. What is also crucial is that cybersecurity teams stand ready to support and assist the ORM process owner in this journey - building policies and assisting with the incident management and cyber security incident response in the event of a breach.
It’s no secret that – even as ORM (and many other processes) evolve to accommodate new types of risks – the risks themselves are evolving, too. Cyber risk management and cyber risks, too, are constantly in flux as threat landscapes and attack surfaces alike expand.
The challenge facing CPS ORM stakeholders is that much of their global OT infrastructure, despite being automated and computerized, is still not resilient in the face of existing and emerging cyber threats. Existing cybersecurity solutions were designed for IT ecosystems and adapted to OT needs – they are challenged to protect the unique multi-generation hybrid networks that comprise production environments.
Lacking the capability to effectively protect the core OT networks, CPS ORM is hobbled. The good news is that organizations realize this deficit, and are actively seeking tools to alleviate it – supporting the CPS ORM process and mitigating the risks.
CPS ORM teams need industrial cybersecurity solutions that encompass all aspects of cyber risk, notably:
So what have we learned so far. Digital and cyber risks are changing rapidly. To ensure that ORM is successfully implemented itself, organizations need to ensure that:
Last but not least, ORM solutions need to be designed from the ground up for OT security. This is the approach that OTORIO’s solutions are built on, and it is key to helping organizations evolve their ORM paradigms to meet today’s and tomorrow’s resiliency challenges.
Want to learn more? Take a deep dive into OTORIO RAM² - Digital Risk Management and Next Gen OT Security Platform.
In my next blog we are going to take a deeper look at the routines of risk avoidance being managed by the operational teams with the support of the security teams in detection and response of immediate risks.