In my last blog, I kicked off a discussion about the five most commonly asked questions by customers regarding cyber security for ICS/SCADA systems, or operational technology (OT). I addressed the first three—1) Are cyber security threats real, 2) Who should be responsible for OT cyber security, and 3) What if IT says they have security covered.
Today I’m going to address two additional questions and offer some actions you can take now to reduce your threat landscape.
Question 4: Do We Have the Right Talent to Drive OT Security?
This a fundamental question, and foundational to how you will approach protecting physical assets from cyber attack. As industrial businesses increase investment in digital technologies to improve efficiencies and productivity, there is a growing skills gap in those who manage the technology that runs industrial environments.
For starters, to effectively secure OT environments requires a different mindset than IT. OT professionals must think first in terms of safety, production uptime, operational efficiency, process control integrity, and product quality. A cyber security professional coming from an OT world is going to apply operational priorities toward addressing the increased threat of cyber attacks.
It’s hard to get security resources, let alone OT resource. It’s not just any talent, it’s the right talent. To me, the most critical skills required to address the unique nature of OT cyber threats are the following, in rank order:
- Engineering discipline.
- Safety protocols and practices.
- A process availability/uptime mindset.
- Experience in industrial networking environments.
But as companies grapple with the skills needed to protect critical infrastructure, there are OT cyber security education offerings. These types of services can help close the skills gap.
Question 5: How Do I Get the Budget?
This is a big question I get asked a lot. A key observation coming out of the 2016 Security of Things Conference is that companies are pursuing very real business outcomes from IoT, but believe security will follow later. This is a dangerous approach that leaves organizations extremely vulnerable.
Again, from the 2016 SANS Report: “More often than not, CxOs, managing directors, and even board members are held liable at all stages of a security incident. Businesses, therefore, need to engage proper representation of budget managers and senior stakeholders across the enterprise. This will help to ensure proper budgeting for the operational security needs of the business.”
From our experience, the primary way to introduce budget needs for OT cyber security should focus on two key areas:
Unplanned downtime can result in millions of dollars in lost revenue. Many factors contribute to unplanned downtime; make sure a cyber incident isn’t one of them.
Safety of People, Community, and Environment
The implications of a safety incident related to cyber security breach are enormous. In addition to the risk to human life, there are the costs associated with the loss of equipment, production, and negative impact on corporate reputation.
One of the best ways to advocate for budget is to start with an assessment to create a baseline which will help identify the threat landscape and the potential consequences and prioritize a path forward. But that is just a start. Most mature organizations maintain a practice of assessing people, process, and technology on a regular cadence, to ensure the integrity and resilience of an environment over time, with an eye towards continual improvement you’re your company doesn’t have the right skills or experience to implement this type of best practice, you should seriously consider engaging with a firm that is qualified and experienced in ICS environments to conduct the assessment.
Cyber security breaches are real and growing. And as companies embrace the opportunities found in becoming a digital industrial business, cyber security must be part of the very first step. Otherwise, the potential gains from digital technologies could be offset significantly by damage caused by cyber attacks.
Here are three practical steps you can take today.
- First, understand your risk — not just technical risk, but also people and process risk. A thorough assessment of your OT environment will go a long way in demonstrating to executive leadership the current risks to the business, but also should include a blueprint for mitigating the risk.
- Second, increase cyber awareness of OT personnel through training for a deep OT security understanding. This can help enable a more resilient security position and foster long-term improvements in security planning.
- Finally, as IT and OT increasingly intersect, Wurldtech strongly recommends that companies consider organizational measures to evolve IT and OT cyber security strategies.
Don’t wait. Take action today to support the growth of your business securely, and protect the safety of your people, the community, and environment.