Embarking on the OT cybersecurity journey

By Sunjay Ramessur, Cybersecurity Specialist at iOCO Advisory

While most of us are familiar with cybersecurity processes related to information technology (IT), the same cannot be said of those relating to operational technology (OT). This is understandable: OT cybersecurity is a more recent field, and it’s complex. I’m a certified information systems security professional with 30 years of experience. I’ve been a CIO for several large companies. Even I find the environment complex and challenging.

That’s why we need to take a methodical, comprehensive approach to OT cybersecurity – think of it as a journey that begins with planning and ends with measurement and refinement. I’m going to take you through the high-level steps that will ensure this journey gets us to our destination.

What is OT cybersecurity?

OT cybersecurity refers to the hardware, software, procedures, and best practices designed to mitigate and prevent the exploitation of cyber-physical systems and industrial control systems. These systems control the physical plant and equipment that runs our manufacturing equipment, railway systems, energy grids and wastewater plants.

What’s at stake?

Historically the OT and IT environments have been separated by an air gap. The move away from proprietary platforms by original equipment manufacturers and the use of more off-the-shelf IT components, alongside trends such IoT, digital twins, cloud, AI, and machine learning, have led to a rapid increase in the convergence between IT and OT environments. This has increased their vulnerability to attacks, and the risks organisations with OT environments face.

Almost every aspect of modern life depends on OT’s uninterrupted functioning. The disruption of OT systems can be catastrophic and could potentially result in loss of life and environmental degradation in addition to reputational damage and financial loss.

Setting off on the journey

Before we set out on our journey we need to know where we’re going and what we’ll need to get there. Our first step is to discover the tools and resources at our disposal. We need to understand our capabilities, vendors and stakeholders, and the culture that exists in the environments we want to secure. We’ll then define our objectives and determine the people, processes and technologies required. Once we collect information to prepare our business case, we can begin with a limited scope to get the ball rolling.

Aligning our teams is critical. There are significant differences between the IT and OT environments, so we need to make sure teams are speaking the same language and seeing the same picture. At this stage we’ll also define an OT/IT steering committee represented by both sides of the business.

After that we’ll develop a strategy to overcome hurdles. We need to create a vision of security and describe the need for change to occur and the direction to be taken. Then we’ll seek the alignment and approval of senior executives.

Next, we decide on policies, and define the behaviours and intentions required of the workforce. We’ll define and set up governance structures, roles and responsibilities, and standards and regulations that measure compliance. We’ll also set up measuring and reporting criteria, so we know if we’re making progress and develop a plan for refinement. We will assist in appointing leaders to take charge of different aspects of the journey.

Enhancing our capacity and automation comes next. There are a huge variety of OT cybersecurity tools available, and we will help select the tools needed based on our global view of risks across the business and our understanding of what’s available.

When it comes to skills, we first need to see what is available internally. There is a global shortage of cybersecurity skills, and an even more acute shortage of OT cybersecurity skills. If we need to, we can institute training programmes, create accountability, and institute longer-term education programmes and certification. We’ll also need to build a command centre to monitor progress, fix issues, deal with breakdowns and track progress.

Everyone needs a roadmap

By creating a roadmap of projects to be executed, starting with areas of greatest risk, we are able to clearly align management and teams on the ground. Everybody can see the ordering of projects, and the reason, and prepare accordingly. One of the biggest challenges to overcome in implementing OT projects is clear lines of communication. A roadmap will enable all stakeholders to trace the journey and measure progress to destination.

Finally, we need to refine our processes to continuously improve their effectiveness, speed, efficiency, and alignment with risk at global and local levels.

A secure OT environment

There’s a lot to think about, but the benefits of following this journey are substantial. Apart from the overall goal – a more secure OT environment – you can expect a better-capacitated organisation, with a real-time view of asset inventory, a global and local view of risks, the ability to monitor and track progress, executive support, and aligned OT and IT environments.

It’s a journey worth embarking on.