Operational Resilience Management & Assessment: A Brave New World

08 Oct 2020

Why industrial organizations need to look beyond information-centric cybersecurity and focus on business continuity.

Yair Attar, Co-founder and CTO, OTORIO

A recent report by Gartner predicts 75% of CEOs will be personally liable for cyber-physical security incidents by 2024. The report, written by Katell Thielemann, research vice president at Gartner, also claims that organizations must focus on ORM – or operational resilience management - beyond information-centric cybersecurity.

ORM Means Anticipating, Preventing and Recovering from Adverse Events

Operational Resilience Management, or ORM, refers to the ability of organizations and processes to adapt to adversity. Operational Resilience Management (ORM) is the science and art of ensuring business continuity in the face of such adversity.

The watchword for ORM stakeholders should be “bend, don’t break.” In other words, ORM is about adaptability. It’s the art of anticipating, preventing, recovering from adverse events, and adapting to avoid similar events in the future – all without interrupting or compromising business continuity.

ORM touches the entire enterprise – affecting people, processes, and systems. With such a broad mandate, it’s no surprise that ORM represents a unique trans-organizational challenge, especially as the lines between digital and physical systems blur.

Cyber Physical Systems, ORM and OT Security

The wave of digitalization sweeping across organizations of all types – most notably industrial organizations – has given rise to a new category of systems that are considered critical for business continuity: Cyber Physical Systems (CPS). Gartner claims that CPS represents “the convergence of IT, OT, IoT and physical assets,” and that its emergence is driving a new, more holistic industrial security paradigm. 

In this paradigm, the physical machines that power an industrial enterprise and the digital systems that drive them need to be regarded as equally vulnerable. This, of course, is why organizations are seeking solutions that manage disparate security elements holistically…but we’ll touch on that later.

The question is, how does this evolution impact ORM? Operational and maintenance teams are long familiar with operational resilience, and are generally the in-house experts on the APM and CMMS systems that currently govern ORM efforts. Now, along come CPS systems, and ORM suddenly looks a lot different. All of a sudden, ORM includes OT Security – and the ORM ownership game has changed radically.

Drill Down: What Does ORM Entail? 

CPS ORM requires ORM stakeholders to take a different, more holistic and decidedly digital/physical perspective on operational resilience. Here’s how we see the CPS ORM process in 9 steps. You’ll notice that from Step 6, things start to diverge significantly from traditional ORM models…

  1. Understand business and production goals, and their business impact
  2. Evaluate overall systems performance and understand the resources driving this performance
  3. Define systems governance and operational risk policy 
  4. Assess operational risk including mitigation and recovery 
  5. Delineate best practices, common risk controls and corrective actions 
  6. Identify critical business services and the physical and IT/OT/IoT systems and services that drive them
  7. Map the computing processes, connectivity technologies, information/data flows, and people that support these critical business services
  8. Test the ability of the organization to remain within its impact tolerances, along with the overall resilience of the underlying organizational and technological foundation 
  9. Communicate and plan with technical and business stakeholders to prepare for any potential future incidents

Who Needs to Do What?

 Back to the Gartner report mentioned above. It claims that “A focus on ORM – or operational resilience management - beyond information-centric cybersecurity is sorely needed.” But in traditional ORM scenarios, operational teams have been the ORM process owners – and with good reason: these are the people that have their boots on the ground of day-to-day operations, and have a deep understanding of the business impact of resilience.

So who needs to own ORM going forward? The answer is clear. It is the people who are in charge of production operations. They are the ones with an understanding of both the processes and the business impact of every risk. What is also crucial is that cybersecurity teams stand ready to support and assist the ORM process owner in this journey - building policies and assisting with the incident management and cyber security incident response in the event of a breach.

Empowering CPS Operational Resilience Management

It’s no secret that – even as ORM (and many other processes) evolve to accommodate new types of risks – the risks themselves are evolving, too. Cyber risk management and cyber risks, too, are constantly in flux as threat landscapes and attack surfaces alike expand.

The challenge facing CPS ORM stakeholders is that much of their global OT infrastructure, despite being automated and computerized, is still not resilient in the face of existing and emerging cyber threats. Existing cybersecurity solutions were designed for IT ecosystems and adapted to OT needs – they are challenged to protect the unique multi-generation hybrid networks that comprise production environments. 

Lacking the capability to effectively protect the core OT networks, CPS ORM is hobbled. The good news is that organizations realize this deficit, and are actively seeking tools to alleviate it – supporting the CPS ORM process and mitigating the risks. 

CPS ORM teams need industrial cybersecurity solutions that encompass all aspects of cyber risk, notably:

  • Prevention - Identify gaps, vulnerabilities and exposures, learn from known and unknown threats
  • Response – Accelerate response to incidents to minimize possible impact
  • Recovery – Facilitate rapid recovery to avoid downtime and ensure business continuity
  • Learning – Learn from incidents to understand how future incidents can be identified earlier, prevented, responded to, and recovered from 

So what have we learned so far. Digital and cyber risks are changing rapidly. To ensure that ORM is successfully implemented  itself, organizations need to ensure that:

  1. ORM incorporates digital and physical risks to better ensure operational resilience 
  2. A risk based management approach is established - from identification of potential risks through evaluating their possible impact to implementing mitigation controls 
  3. Operational teams are the ones who understand the consequences and are the ones responsible for business continuity

Last but not least, ORM solutions need to be designed from the ground up for OT cyber security. This is the approach that OTORIO’s solutions are built on, and it is key to helping organizations evolve their ORM paradigms to meet today’s and tomorrow’s resiliency challenges. 

Want to learn more? Take a deep dive into OTORIO RAM² - Digital Risk Management and Next Gen OT Security Solution

In my next blog we are going to take a deeper look at the routines of risk avoidance being managed by the operational teams with the support of the security teams in detection and response of immediate risks. 

11 Jan 2022 A House of Cards: The OT Digital Supply Chain is Exposed more...
02 Mar 2021 OTORIO’s Pen-Testers discovered more than 20 vulnerabilities in a popular Industrial Remote Access Solution more...
10 Feb 2021 Florida’s Water Poisoned by Hackers: A Warning Signal more...