Askhat - stock.adobe.com
What CISOs need to know to build an OT cybersecurity program
More companies are tasking CISOs with operational technology security. But this oversight means a new strategy for those unfamiliar with building an effective OT security program.
Motivated by the potential profits of targeting industrial, utilities and manufacturing organizations, threat actors are stepping up their attacks against operational technology companies and their associated assets. In response, OT organizations are racing to create a more effective approach to OT system security from both a technical standpoint and management perspective.
One of the major questions that has arisen is who should be in charge of OT cybersecurity.
Traditionally, industrial control system (ICS) professionals managed OT system security. However, Industry 4.0, IoT and the convergence of IT and OT -- and the security threats and vulnerabilities associated with connecting OT systems to the internet -- have led more companies to give their CISOs the additional responsibility of securing OT.
Case in point, 27% of respondents to Fortinet's "2024 State of Operational Technology and Cybersecurity Report" said they have already rolled OT security under a CISO, and another 60% said they plan to in the next 12 months.
How CISOs can approach OT security
Tasked with ensuring OT cybersecurity, many CISOs find themselves in unfamiliar territory. To mount an effective OT security program and get their bearings as quickly as possible, CISOs should first learn, then collaborate and finally put things into action.
Note, this information can be used for CISOs directly in charge of traditional OT environments, as well as those in charge of traditional IT environments that are increasingly adopting smart technologies and working in smart buildings.
Step 1. Knowledge
First things first, it's critical to understand the differences between OT security and IT security. Consider the following:
- OT systems need to remain available. View OT security through an operational lens -- every asset must be managed to protect operational conditions. Downtime -- for example, to update or patch systems -- is not an option in many OT environments.
- Securing OT is not the same as securing IT. IT requires securing hardware and software, including devices such as laptops, PCs, printers, servers and cloud services. OT requires these, plus securing ICSes, SCADA systems and programmable logic controllers, among others. Both require securing IoT systems and connected devices, including sensors, smart home and smart office devices, wearables and more.
- OT faces the same threats as IT -- and then some. Connecting OT networks introduces them to traditional cybersecurity threats -- just consider the barrage of recent malware and ransomware attacks on energy, gas and water utilities. This is in addition to the major OT threats and security challenges of safety, uptime, life spans, exposure and meeting regulations.
- OT systems are often legacy and proprietary. Many ICSes, SCADA systems and other OT devices have been in place for years, if not decades. Some might only run on OEM protocols, not the traditional systems IT professionals are used to. Securing and patching such systems often require working with OEMs or using OEM products, and these processes can't always be automated. Some legacy systems might not even be supported by their OEMs anymore.
- Get ready for resource constraints and remote locations. Many IoT and OT devices do not have the power, processing or memory resources required to run traditional encryption algorithms. Additionally, devices could be in remote locations, which makes them not only difficult to update, but also requires physical security measures as well.
Step 2. Collaborate
Next, it's time to build an OT security working group. Early in the process, create a group of IT and OT professionals to help each side understand both technical and operational issues, as well as identify potential bottlenecks and vulnerabilities quickly.
If a cybersecurity event occurs, OT personnel must be engaged before any mitigation or response to help minimize system disruption and business loss.
Step 3. Get (started) with the program
With improved knowledge of the inner workings of OT security in place and a group created to execute the program, it's time to get started.
To begin, conduct an inventory. Document which OT technologies and processes are in use, where they are, how they are used, and their existing and needed protections. Don't forget about shadow OT. Prioritize assets based on how critical they are to operations.
Next, use the inventory to conduct a risk assessment to identify risks and their impacts, as well as how to counter them; a business impact analysis to determine the effects of business disruptions; and threat modeling to identify vulnerabilities and risks, as well as their mitigation steps.
These assessments help outline the organization's current OT security posture and highlight where security and performance gaps exist. From there, build a roadmap to define how and when to put new controls in place to protect OT networks and endpoints. Use existing frameworks and guidance, such as NIST's Guide to OT Security, the Center for Internet Security Critical Security Controls ICS Companion Guide and the NIST Cybersecurity Framework, to map risks, threats and vulnerabilities, and the processes and technologies to remediate them.
Security controls and technologies to consider implementing include segmentation, microsegmentation, zero trust, access control, encryption, backups, firewalls and more.
Amy Larsen DeCarlo has covered the IT industry for more than 30 years, as a journalist, editor and analyst. As a principal analyst at GlobalData, she covers managed security and cloud services.
Sharon Shea is executive editor of TechTarget Security.
