The risk the majority of Australian critical infrastructure owners and operators are taking regarding the security of Operational Technology (OT) is very real and, in a number of ways, very concerning. But it doesn’t have to be the case.
Cyber security is fundamentally about the protection of business objectives. Whether in relation to IT or OT security, the objective is still the same, yet the stakes are higher when it comes to OT so, you could say, it’s more important to get it right.
If you want to get serious about applying a comprehensive methodology to build your industrial cyber security strategy for your company, you’re taking the first step to rectifying not just a potential problem with your business but an industry-wide one. So, where do you start?
Here are some questions to ask yourself before engaging a professional to address the security of your OT assets.
Are you prepared to think strategically, rather than reactively?
As with every undertaking in business, the effort involved in enacting any methodology is huge, which means you’re probably reticent to divorce yourself from whatever processes you currently have in place. However, it’s likely you’ve taken a tactical or reactive approach to your security controls. In order to be effective, it needs to be strategic instead.
In order to correct your company approach, you may be tempted to introduce a new strategic framework yourself by simply following the industry standards – such as the NIST Cybersecurity Framework (CSF) or IEC 62443 – but it’s not a matter of applying just one reference. You need to address different aspects of those references at multiple touchpoints throughout the industrial cyber security lifecycle.
In other words, many companies think they are following industry standards but, in actual fact, they are not – they overlook key steps. This is not something to beat yourself up about. You shouldn’t be expected to know how to apply such industry standards at the level of detail required to deliver the desired results, unless you’re someone who works with these standards on a regular basis.
Additionally, a patchwork approach to OT security is also a false economy. Be prepared to start afresh, by building the foundations of your organisation’s industrial cyber strategy with a methodical approach.
Do you fully understand your business requirements?
You need to look holistically at all systems across your business (Levels 0-5). Do you have a comprehensive asset inventory? Many companies tend to only focus on externally facing systems (i.e. IT) and fragmentation, rather than taking into account the entire IT and OT environment.
Have you thought about your risk?
Security is ultimately a function of risk. Risk is the impetus that pushes companies to spend money on security – similar to how we, as individuals, put locks on our doors for assurance and peace of mind.
Before the implementation of any security measures, it’s imperative that a risk assessment takes place. But not just any risk assessment. In order to protect your OT assets, a risk assessment needs to drill down to the asset/component level of your OT environment, which is an area that requires the eye of a specialist equally skilled in security and engineering. This, therefore, should not fall within the responsibility of your IT department.
Bearing this in mind, most organisations have not performed a comprehensive risk assessment to the extent they need to fully understand their cyber risk posture. This is no fault of their own, except failing to recognise they don’t have the expertise to do it themselves.
Do you have the buy-in from your associates and the budget for your OT security?
In terms of cyber security, companies are spending money in the wrong areas. This is happening because they haven’t completed a formal or comprehensive risk assessment to fully understand the level of risk across different areas of their business. This results in money being spent on ‘bolt-on’ controls (e.g. network monitoring) because that’s the current perception of where security expenditure should occur.
If you can secure buy-in to undertake a proper risk assessment with industrial cyber security professionals, then the budget will be evidenced from the results of this assessment. Start with the risk assessment and then the cards should fall into place.
Do you have the time and resources to stay ahead of the cyber threat?
Remember, you can’t do everything internally. Be prepared to consider a co-sourced arrangement or managed services alignment as part of your industrial cyber security strategy. This means engaging experts to advise your Board, feed you with intel or handle any aspect of your OT security that you may not have the resources to handle yourself.
For example, an external entity may monitor your OT network via a Security Operations Centre (SOC) but you might be able to deal with your incident response capabilities internally (co-sourced arrangement). Open your mind to the possibilities that a partnership can offer you when it comes to your industrial cyber security strategy.
How do you plan for OT cyber security? How do you design it? How do you stress test it? These are just a few questions you will need to solve. If you provide a trustworthy external entity with an open advisory door into your security program, you’ll reap the rewards of a better result.
When organisations have controls in place, they often have a false sense of security. Part of your methodology should be to constantly review your system and never fall into a ‘set and forget’ complacency. Having an external entity to ensure every angle is covered while you’re busy taking care of your business is a very smart move.
Are you willing to commit to security in the same way you commit to safety?
Industrial sectors treat their industrial cyber security in much the same way they treated safety decades ago. Nowadays, you can’t enter an industrial site/plant without meeting a number of compliance checks – safety has become ingrained in the culture of the industry. OT cyber security is poised to head in the same direction as safety, largely because it will become imperative, but many organisations are still yet to reach that level of maturity.
Think about all the aspects of safety that make it so important – what are you risking? Your business reputation? Your finances? Your people? The same considerations apply to security. You should be thinking about your OT security in exactly the same terms. The time is now to start changing your business culture. As your management to allocate the same budget to security, as they allocate to safety.
Are you ready to reach out to an expert who specialises in industrial cyber security?
If you’ve taken all these questions to heart, you’re ready to take control of your industrial cyber security requirements and position your company more powerfully.
Now reach out to the experts at SIS Industrial Cyber Security about your specific needs.