I invite you to join the OTORIO webinar on 'Approaches for obtaining an ROI from addressing cybersecurity holistically' with Harry Thomas and Dave Cullen from OTORIO and myself. The webinar will be held on Dec. 5, 2023, at 10:00 a.m. Pacific Time. For registration, click here.
Background
The cyber risk threat landscape includes the operational environment, posing a significant risk to critical infrastructure. As organizations navigate the increasing convergence of information technology (IT) and operational technology (OT), chief information security officers (CISOs) in industrial and manufacturing organizations find their roles expanding to address the unique challenges presented by OT/ICS cybersecurity. This blog explores proactive measures that CISOs can adopt to enhance cybersecurity in OT/ICS environments, emphasizing tangible return on investment (ROI) and aligning these efforts with the organization's broader business goals.
Understanding the landscape
Before delving into proactive strategies, defining key terms and understanding recent trends in OT security is crucial. OT refers to the networks and systems responsible for controlling industrial and manufacturing processes, and OT/ICS cybersecurity involves protecting these networks and devices from unintentional and malicious cyber threats.
Recent trends indicate a rise in cyber incidents within the operational environment, extending beyond the common ransomware attacks in IT. There have been more than 40 OT/ICS cybersecurity direct threats incidents in 2023, spanning electric power, water, transportation, manufacturing, data centers, medical devices and more, highlighting the diverse and widespread impact of cyber threats on critical infrastructure. A very troubling recent cyber incident was Iranian cyberattacks against water control system programmable logic controller systems in U.S. and Israeli water systems, specifically targeting the Israeli control system supplier.
Challenges and opportunities for CISOs
For an organization with OT/ICS equipment, the CISO is no longer confined to IT but also has responsibilities for OT/ICS cybersecurity. Challenges persist, including limited visibility into OT/ICS, the need for specialized tools, limited OT/ICS expertise and the requirement to justify investments. CISOs must quantify risks, present clear plans with measurable outcomes and bridge the gap between traditionally siloed IT and OT/ICS departments.
One of the challenges CISOs face in industrial and manufacturing organizations is identifying and mitigating critical risks and understanding their business impact. The board of directors requires CISOs to quantify risks in terms of business value. For instance, the direct cost of a cyberattack on the operational environment could halt or damage production, cause injuries and impact brand reputation, resulting in a direct financial business impact. CISOs must emphasize the importance of proactive measures, continuous monitoring and assessment of cyber risks that directly contribute to the organization's ROI.
The role of proactive OT cybersecurity
Proactive OT cybersecurity involves strategic investments and measures to prevent incidents rather than just reacting to them. It addresses the organization's ROI by ensuring the reliability of operational processes and reducing downtime. Practical steps include collaborating and aligning security efforts between IT, OT and engineering teams, continuous risk monitoring and providing contextual business insights to make informed decisions. Another example is addressing alarm management in OT cybersecurity and ICS operational environments. Engineering participation, especially in monitoring the physics of field devices, directly enhances productivity, performance, safety and predictive maintenance.
For people, processes and technology, the implications of ROI in OT security are profound. Investment in training and awareness programs enhances the human factor, while technology investments contribute to the organization's technological resilience. Process improvements, guided by ROI considerations, ensure the effective implementation of cybersecurity measures.
Board expectations and conclusion
Boards expect CISOs to clearly understand the organization's cybersecurity posture, justify investments in OT/ICS security and align security initiatives with business goals. The evolving role of the CISO in the operational environment requires a strategic approach to safeguard critical infrastructure and contribute to the organization's overall success.
A proactive OT cybersecurity approach with a compelling ROI case enhances the organization's security posture and presents a strong case for necessary OT/ICS security funding. CISOs, armed with knowledge and strategic foresight, can bridge the gap between IT and OT/ICS, contribute to digital transformation, help improve operations and demonstrate their value to the board of directors in safeguarding the organization's critical assets.
Key takeaways
With the shift to CISOs owning OT/ICS security, a staged approach with a compelling ROI case is required to implement a comprehensive security program. Initial steps should involve both IT and OT/ICS gaining an understanding of the organization's current risk from both IT and OT/ICS perspectives. Being able to visualize existing security solutions in a matrix should allow gaps to be seen and provide guidance on where to invest money.
From there, work to implement the security program. Identifying a location to make your “gold standard” will allow your team to see and understand the impact of security investments clearly. This process may take time, but from there, you can use your “gold standard” site to assess risk compared to your other sites. Any gaps and deviations should be categorized as “now,” “next,” “nice to have” and “never.”
The staged approach will set your organization on a path to protect everything you operate in a systematic and measurable way while reducing overall organizational risk.