The importance of thorough and effective operational technology (OT) security is an organisational concern that is only rising in priority. We just need to look at the impact of recent international incidents – such as the breach at a Florida water treatment plant and Solarwinds – and actions of the Australian Government to know, if we don’t take a proactive and progressive approach to our OT security, we’re going to be playing a costly game of catchup that could equate to ‘too little too late’ in some circumstances.
While there are many clued-up people in organisations who understand ‘the time is now’ when it comes to getting their OT security right, others may be dragging the chain and consequently stymying the process.
In many cases, organisations are reacting to the increasing cyber threat by throwing money at glitzy security products that may not even be the right fit for their OT environment. This scattergun approach of ad-hoc solutions only applies a band-aid over the problem until the next vulnerability exposes OT assets once again.
Organisations in this position often find themselves in a continuous cycle of knee-jerk spending, failing to address the root cause of their cyber problems. Similarly, with product deployments, if organisations don’t have the correct cyber operating models to support their security technology portfolio, then OT may continue to be exposed.
Organisations need to start looking to cure the disease, rather than always reaching for the first-aid kit for quick, temporary fixes. Industry needs to stop putting the cart before the horse and address the problem at its core.
Where security spend should really be focused is on the design of a robust OT security architecture. This is the key to unlocking the root cause of the problem. It is a relatively low-cost measure that can offer considerable value in return. This design should become the foundation of any cyber strategy that provides a reference and guides the organisation by defining exactly where to deploy security controls to best protect OT operations and maximise security spend. Think of it this way: you can’t construct a solid house without the right foundations (it’s called ‘architecture’ for a reason!).
So, how do you move forward with spending wisely on your OT security, transitioning from being reactive to proactive, and getting your architecture in place?
If the money is there but it’s being spent in the wrong places, in some ways, you’re in luck. You may need to orchestrate a shift in company thinking or maybe even employ a ‘translator’ to ensure IT, OT and management teams are all speaking the same language but, once you do that, you should be in a position to redirect that spending and use it where it matters, rather than digging into the company coffers and finding more funds.
A proven, proactive process to follow towards establishing your OT security architecture is SIS’ Threat Neutralisation Lifecycle. This cycle comprises three key phases:
1. Assess & Define;
2. Design & Implement;
3. Operate & Maintain.
Starting with Assess & Define, you must first fully understand your OT assets, your risk posture and your business requirements. That way, you can ensure the selection and design of security controls in your OT security architecture will have full traceability to your business mandate.
Don’t know where to start or which standards or frameworks to follow? Let the specialists take care of this for you. Speak with the team at SIS.