As the threat landscape continues to evolve, operational technology (OT) organizations are facing increased attacks from threat actors targeting industrial, utilities, and manufacturing sectors. This has prompted OT organizations to rethink their approach to OT system security, both from a technical and management perspective.
With the rise of Industry 4.0, IoT, and the convergence of IT and OT, the responsibility for OT cybersecurity is being reassigned. Traditionally, industrial control system (ICS) professionals have managed OT system security. However, a shift is underway, with many companies now entrusting their Chief Information Security Officers (CISOs) with the additional responsibility of securing OT assets.
According to Fortinet’s “2024 State of Operational Technology and Cybersecurity Report,” 27% of respondents have already placed OT security under the purview of a CISO, and an additional 60% plan to do so in the next 12 months. This reflects a growing recognition of the need for a holistic approach to cybersecurity that encompasses both IT and OT environments.
For CISOs tasked with overseeing OT security, navigating this new territory can be challenging. To effectively address OT security, CISOs are advised to follow a three-step approach: learn, collaborate, and take action.
Step 1: Knowledge
The first step for CISOs is to understand the unique differences between OT security and IT security. OT systems prioritize availability, with any downtime posing a significant risk to operations. Securing OT systems involves protecting a wide range of devices beyond traditional IT hardware and software, including IoT systems and connected devices. Additionally, OT systems face a heightened threat landscape, with attacks on critical infrastructure like energy, gas, and water utilities becoming more prevalent.
Step 2: Collaborate
Building a collaborative OT security working group comprising IT and OT professionals is essential. This group can help bridge the gap between technical and operational issues, identify vulnerabilities, and respond swiftly to cybersecurity events. Engaging OT personnel in the event of a cyber incident is crucial to minimizing disruptions and mitigating business losses.
Step 3: Get (started) with the program
Once the groundwork has been laid, CISOs can begin implementing an OT security program. This involves conducting a comprehensive inventory of OT technologies and processes, assessing risks, performing a business impact analysis, and developing a threat model. By mapping out the organization’s current OT security posture and identifying gaps, CISOs can create a roadmap for implementing new controls and protections.
Key security controls and technologies to consider implementing include segmentation, microsegmentation, zero trust, access control, encryption, backups, and firewalls. By leveraging existing frameworks and guidance such as NIST’s Guide to OT Security and the NIST Cybersecurity Framework, organizations can effectively address risks, threats, and vulnerabilities in their OT environments.
In conclusion, as the threat landscape continues to evolve, CISOs must adapt their approach to OT security to protect critical assets and ensure operational resilience. By taking a proactive, collaborative, and strategic approach, CISOs can effectively navigate the complexities of securing OT systems in an increasingly interconnected world.