Applied Risk and and Frost & Sullivan published a Blueprint for Building Sustainable Operational Technology (OT) Cyber Security. The aim is to provide clear advice on the people, process and technology considerations that must be made at every stage of an OT security programme’s lifecycle.
any organisations that rely on Operational Technology (OT) need to elevate their cyber security to a higher maturity level.
A noticeable increase in threats that target OT assets places a wide variety of companies, including those operating critical infrastructure, at risk of process upset, production shutdowns, safety incidents, or other service disruptions.
These disruptions can negatively impact mission-critical supply chain operations and the public. Ongoing geopolitical tensions, the rise of criminal ransomware organisations, and the supply chain vulnerabilities that critical infrastructure organisations face all increase the overall threat landscape.
New regulatory compliance standards are appearing, and ongoing trends towards digitalisation and Industry 4.0 are driving integration between information technology (IT) and OT domains, increasing the overall OT attack surface.
That’s why many companies with industrial operations are initiating OT security programmes
the report noted.
Frost & Sullivan research has found that, among organisations operating critical infrastructure, 37% of decision-makers voiced concerns over a lack of expertise in accomplishing a sustainable and well-maintained OT security programme.
What makes such an OT cyber security programme successful? The blueprint explains that a typical IT-centric strategy will not work in OT environments because OT cyber security practices vary from traditional IT strategies.
Consequently, organisations must address OT-specific challenges when developing these programmes and use governance models and frameworks that include engineering and business processes.
In an effort to keep risks as low as reasonably practicable (ALARP), stakeholders should seek ways to implement the necessary OT security measures to preserve critical business operations and to shield the organisation from potential service disruptions. An increased level of OT security maturity is crucial for the long-term success of their OT security programme and to sustain business-as-usual efforts.
Despite understanding the importance of an OT cyber security programme, 40% of OT decision-makers have concerns about the potential security risks of IT and OT system integration, even when security protocols vary
Frost & Sullivan Security Research Team, said.
The following equation describes a successful OT security programme:
- Commitment: Stakeholders across the organisation, such as engineering teams, operators, plant managers, and management, must be dedicated to developing, implementing, and maintaining the necessary OT security controls and processes.
- Framework: A solid OT security process must be created that focuses on identifying business risks from immature OT security policies, meeting regulatory requirements, achieving OT security goals, and implementing measures for long-term programme maintenance and threat mitigation.
- Discipline: OT security activities must be embedded within the business-as-usual activities of the organisation. The efficacy of the programme must be maintained through continuous monitoring, policy management, regular penetration testing, and threat modelling.