Organizations are still making too little progress toward complete operational technology (OT) asset protection. This occurs at a time when more OT systems are connecting to the internet, attacks on systems are more frequent due to geopolitical events, and IP-based threats are growing more sophisticated and damaging. This combination of factors is making OT security a greater priority for many organizations.
Of the many challenges that OT security leaders must address this year, the most worrisome are due to new international legislation, the constantly expanding threat landscape, the complexity of compliance, and the cybersecurity skills gap that makes it hard to meet OT and IT workforce requirements.
Security, Risk and Compliance
Prioritizing compliance compared to security and risk will be the CISOs' first major challenge in 2023. Although compliance, risk and security are interdependent, they aren’t necessarily coordinated and equally balanced. When attempting to safeguard OT, this imbalance can cause significant problems.
Let's start with compliance, which means the requirement to adhere to internal or externally imposed policies, regulations and norms. Compliance doesn't automatically equal security; compliance simply implies that your firm ticks a box as it complies with requirements.
Risk is quite a different matter – one that involves a discussion about business. To illustrate how risk operates in a firm, take vulnerability management as an example. If there is a vulnerability, you must assess the danger against all the labor required to address it. If they want to be effective, CISOs must consult with their business-oriented leaders about all vulnerabilities from a risk-versus-reward viewpoint to make informed decisions.
Hurdles that Hinder Adoption
Because most infrastructure is held by private firms, the U.S. often adopts critical infrastructure rules more slowly than other countries. So, as government agencies develop regulations to better protect critical infrastructure and the citizenry, it takes a lot of back and forth amongst those agencies, businesses and lobbyists to implement an overarching policy or set of rules.
While most businesses acknowledge the value of laws, they’re frequently hampered by a lack of time and resources. If security resources are hard to come by, then OT security specialists may as well be unicorns. You usually take one of two roads in OT: either you work in cybersecurity and have an OT perspective, or you’re an automation engineer and are required to meet security criteria.
Finding someone with practical experience in both security and OT is quite challenging. Additionally, most organizations don't have enough funding for cross-training.
Sharing the Load
When you work in OT, there’s no way you can own every aspect. You collaborate with other people, including partners, engineers and various business departments. However, it is your responsibility to persuade everyone to take security measures and make cybersecurity a top priority. As a result, OT leaders cannot any longer be the team known for saying "No"; they must develop into a team that facilitates.
Again, the lack of cybersecurity talent can be a significant problem. While the cybersecurity skills gap is lessening, there’s still an estimated shortage of 3.4 million cybersecurity professionals globally. OT leaders must be the “enablement team” if they are to have an impact on their organization. That demands people-influencing abilities as well as OT/security expertise. They must re-iterate this message: “If OT is not safeguarded, the company could lose a great deal of money.”
Being an evangelist and influencer is crucial if you are an OT leader. You’re not merely a security expert anymore.
In the relatively new world of connected OT, enterprises across the globe are making insufficient headway in securing ICS and SCADA systems. Recent incremental advancements in security maturity have not significantly impacted real-world security outcomes. As a result, the majority of companies continue to experience intrusions—usually several times each year.
The 2022 State of Operational Technology and Cybersecurity Report found that of those that had no network intrusions in the past year, 37 percent were more likely to have network access control technology in place. And 32 percent were more likely to have their SOC monitor and track OT security, and they’re infinitely more likely to use just one vendor for their IP-enabled OT devices. The latter point demonstrates how reducing complexity in networking and systems helps reduce the attack surface and improve security posture.
Some governments across the globe are issuing warnings about the likelihood of multiplying cyberattacks on critical infrastructure and important financial assets due to current geopolitical circumstances. Industrial firms from a variety of sectors would benefit from advancing the maturity of their OT security initiatives as soon as possible.
To create zero-trust access, they must make use of technology for orchestration, automation and predictive behavior. They would also do well to adopt the security practices of top-tier organizations. With these tactics, they will be able to defend against threats from state-sponsored attackers, insiders who are well-intentioned or make a mistake, and cybercriminals.