Standardise, Centralise and Automate OT Cybersecurity Operations
Introduction
The ongoing digitalisation of industrial operations will require Security Leaders to work with OT cybersecurity service providers that demonstrate both deep knowledge of industrial networks and expertise in business transformation. This will enable asset owners to move from siloed operations to a cybersecurity operating model that provides protection and visibility across its infrastructure. Security Leaders should carefully consider which cybersecurity service provider is the right partner to deliver on their security program as skills and experience vary significantly. WA’s IT/OT Cybersecurity Services Navigator is an assessment of the leading OT security consulting and managed services providers, benchmarking competitors relative to current capability and strategic direction.
OT Cybersecurity challenge
Despite lower manufacturing output globally, asset owners continue to invest in digitalising plant operations. The long-term vision for most manufacturers is clear: highly connected, automated, and intelligent plants that optimise operations and create value for the entire supply chain. Yet, digitalisation also brings with it new cybersecurity challenges and risks.
One of the most pertinent issues arises from the convergence of Information Technology (IT) and Operational Technology (OT). While the merger can lead to streamlined operations and real-time data analytics, it also blurs the lines between two distinct domains, each with its own unique characteristics and requirements. This intersection can introduce new vulnerabilities, from malware being inadvertently introduced by supply chain partners to misconfigurations that could result in security incidents.
Cloud-based OT applications introduce another layer of complexity. While cloud environments offer scalability and operational flexibility, they are also susceptible to a wide range of cyber threats, including ransomware and data breaches. Moreover, the cloud's remote accessibility can extend the attack surface, providing new entry points to exploit.
The overarching challenge faced by asset owners is finding the right balance between accelerating digital transformation without incurring additional or unacceptable risks. The transition to intelligent manufacturing hinges on implementing new operations that are secure-by-design, and by moving from a security model that is entirely dependent on protecting the perimeter to blending traditional layered defence with Attack Surface Management and Zero Trust Principles. Future operations will be connected, interoperable and agile, but they also need to be secure and resilient.
Cybersecurity maturity and target model
Despite the increased investment in OT cybersecurity, there remains a wide gap between the program maturity of the front-runners – those managing Advanced Programs – and the followers who make up most asset owners.
In most countries there is wide variation in the maturity of cybersecurity programs, ranging from no program at all to Advanced OT cybersecurity operations. In the US for example, there are a reported 250,000 manufacturing sites which contribute significantly to economic performance – about 17% of the US economy is dependent on Operational Technology. One of the largest sectors – chemical manufacturing – consists of 9,000 organisations managing around 13,500[1] plants.
Yet, despite the importance of manufacturing to the economy, OT cybersecurity maturity at many sites remains nascent. This can be largely traced to the maturity of digital programs. Research by the World Economic Forum (WEF) highlights the large variance that exists within industrial sectors, with Energy, Chemicals and Oil & Gas, highlighted as having highly contrasting levels of digital maturity among the operators.
Asset owners without an OT cybersecurity program or with fledgling plans, should start with implementing Foundational security controls. This includes policies and procedures, as well as technical controls such as network segmentation, AV and patch management, and access management.
This may be the destination, or Target Security Operating Model (TSOM) for asset owners with small and less complex operations. There are many consultants and SI’s able to provide these services with high levels of specialisation by region or industry. For asset owners with large, complex operations, this is likely the start of a journey towards a more Advanced program characterised by greater strategic alignment with business operations, continuous improvement, and increasing levels of automation.
The Pathway to Cybersecurity Maturity: Standardise, Centralise, and then Automate
Managing the transition from Foundational to Advanced OT security programs across sites, business line owners, and regions is challenging, requiring partners with the scale and skills to deliver large security transformation programs. Security Leaders should start the journey with a comprehensive risk assessment to identify vulnerabilities and quantify the potential impact on the availability and safety of operations. This will result in a sequential set of processes to accelerate the program: Standardise, Centralise, and finally Automate. Security Leaders rushing to automation without completing the first two steps are likely to achieve an unsatisfactory outcome.
Standardisation is essential. Given the diversity of technologies, processes, and human practices in OT environments, harmonising rules, policies, and procedures is indispensable and lays the foundation for centralisation. A clear, consistent set of guidelines not only reduces the likelihood of error but also serves as the cornerstone upon which other security measures can be implemented. This includes using standards and frameworks such as NIST Cybersecurity Framework and IEC 62433 and adapting them to the unique exigencies of the asset owners OT environment.
The next logical progression is centralisation. There are advantages to distributed security operations that offer localised agility, but they also introduce systemic vulnerabilities through inconsistencies and siloed data. Centralising security operations in a Security Operations Center (SOC) offers the dual advantage of consolidated oversight and unified control. It simplifies the execution of policy adjustments and enables real-time, data-driven decision-making. Centralisation also allows for more effective allocation of resources, ensuring that the best tools and talents are utilised where they are most needed.
Once standards have been implemented, and the security operating model has been centralised, then asset owners can evaluate where and how automation can add value to the security operation. By adopting this framework Security Leaders are more likely to maximise the return on their investment, building a comprehensive, cohesive, and scalable security operation.
Concluding
It takes time and significant resource to design and implement an Advanced security program. For large multinational asset owners, designing and implementing the TSOM is often a highly complex change program. The large number of stakeholders, variation in technology and processes across sites, local regulatory requirements, and differing attitudes to risk, often results in a web of differing and sometimes conflicting requirements.
Asset owners should seek OT cybersecurity services firms with the requisite knowledge of OT systems and networks, experience of implementing relevant standards, and with the skills to manage change. Equally, OT Security Leaders should also consider the strategic direction of the OT security services firm including investment in new technology, processes and skills, and current and future partnerships. As manufacturing becomes more connected, automated, and intelligent, security services firms must be able to demonstrate that they have the knowledge, skills, and capacity to help customers transform operations securely.
For more information on the Industrial Security Consulting and Managed Services Navigator 2023 please contact us here