By Willi Nelson, field CISO for OT, Fortinet
Attacks against operational technology (OT) have grown in frequency for a few different reasons, including the convergence of OT and IT networks, the development of cybercrime-as-a-service, and increased accessibility of attack kits on the dark web. At the same time, the variety of targets that represent OT and critical infrastructure has also expanded.
As critical infrastructure such as water and electrical utilities become increasingly targeted, it’s urgent that these vital assets be secured. Many OT subsectors still rely heavily on legacy software and hardware, which is important context to keep in mind when thinking about the risks connected to these threats.
Next-generation cybersecurity strategies and solutions are vital. However, it's worth noting that for many OT enterprises, safety, reliability and uptime frequently rank highest in the hierarchy of needs. This does not imply that OT isn’t secure, but it does imply that managing cyber-risk for OT is trickier than it might first appear.
How can industrial organizations navigate today's OT landscape with security in mind? It starts with learning from the past and taking proactive preparation.
Lessons from the trenches
The good news is that cybersecurity awareness is much higher than it’s ever been before, especially when it comes to the problems of OT security. Across industries, we’re seeing that executives and boards are also asking questions and educating themselves. These two developments show that cybersecurity for OT is moving in the right direction.
In that vein, it’s important to learn lessons from other organizations’ breaches, the primary lesson being that you are going to have a network breach at some point. It’s no longer a matter of if, but when. Prepare in advance with an incident-response plan and develop playbooks. Executives need to know what they are responsible for, and they need a comms plan. You need to know your regulatory requirements for reporting when an incident occurs. You need to not just know all of this in theory, but to practice it, as well. Part of the planning process involves assessments. Check your technology, be honest about your capabilities and make sure that you fill any gaps.
One key takeaway from our 2022 State of Operational Technology and Cybersecurity Report is that organizational leaders are paying attention to OT security, but relatively low-ranking professionals are still in charge of it. Only 15% of report participants indicated that their organization’s chief information security officer (CISO) oversees OT security. According to the survey, managers and directors in a variety of positions (such as plant operations) are primarily responsible for managing OT security. As industrial systems become a target for malicious actors, OT security needs to be addressed by the C-suite.
Recommendations for forward motion
Crunching the numbers reveals that investment in security and proactive incident-response planning is significantly less expensive than the harm that results from a breach. The average cost of a data breach in enterprise environments is over $4 million, but in operational technology, that cost can be significantly greater since you have to factor in manufacturing and supply chain issues.
Our report provides recommendations for how to keep OT systems secure. These include:
· Limit the number of security suppliers and use integrated products
· Use network access control (NAC) technology
· Use only solutions that provide centralized visibility of all OT activities
The impact of IoT, IIoT and 5G on architecture can't be overlooked. These technologies make business easier, which means they’ll get here before you’re ready. So, adopt them now, even if you don’t think you’re ready. Put them in your R&D environment and start playing with them. Start looking at what security controls you need for them. Being proactive is key.
As manufacturers face advanced persistent threats, they’ll also need to adopt behavioral-based detection that uses the most recent, real-time threat intelligence. Attackers are focusing on reconnaissance, figuring out how to turn emerging technology into weapons, and sidestep security measures. Therefore, you will need a behaviorally based defense that uses machine learning and AI.
What does the future hold for enterprise cybersecurity? Though no one can predict the future with full accuracy, it's a safe bet to continue to focus on resilience. Look at your controls. Look at your partners. Follow the “fail fast & partner often” approach. These days, you can't scale at the breadth and the speed that you need without partners.
What security success requires
There are multiple reasons why OT security deserves the undivided attention of the C-suite. The question isn't whether a breach will occur. The question is: How prepared will you be?
Today's converged OT/IT environments are under attack like never before, requiring a new approach led by the CISO and powered by the latest technology, enabling resilience and agility.
