Traditional industrial control systems (ICS) tend to be “insecure by legacy / design” which presents great challenges to secure. To add insult to injury, it is also proprietary, highly bespoke, and often managed by third-party vendors. As practitioners of cybersecurity, “one of everything” resonates.
IT focuses on CIA (confidentiality, integrity, and availability) which is counterintuitive in ICS environments – where critical infrastructure is all about SAR (safety, availability, and resilience) and did I mention safety? Given the decades spanning operational technology (OT) investments, it is critically important to understand everything that you have. Whether it is a vendor-driven assessment or a foundational inventory, the same credo exists – you cannot secure what you cannot see. Unfortunately, it is often the case that visibility comes after the fact.
Securing OT presents unique challenges beyond what it takes to secure an IT system. Not only in the requirements, but in communicating a clear understanding of the severity and risk to their plants. The convergence of IT and OT requires teams on both sides to understand these differences and work together, which can introduce cultural challenges if not carefully managed. ICS cybersecurity professionals need to be able to demonstrate that security is a threat to operational continuity. Operational leaders need to see cyber as just another risk factor driving toward safety.
OT engineers must be able to adjust the ICS environment at the drop of a hat. Prior to the advent of Stuxnet, concerns around these changes were not as closely monitored outside of the plant context. Change management is now more challenging due to the drive for efficiency, Industrie 4.0, new and improved systems, processes, and connections – resulting in a continual battle to understand what a legitimate change is and what might not be.
We recently interviewed 20 OT security professionals who speak to these challenges. Read their first-hand experience in the first of a 4-part series of eBooks, Advice for CISOs, How to Approach OT Cybersecurity. Despite the title, the information presented is useful for anyone involved in protecting OT environments.
Do you agree with the points from contributors or my analysis above? Join us for a webinar on September 4 where I will discuss my key takeaways and will provide an opportunity for you to give your thoughts: