OT Security Questions and What You Can Learn From Them (Part 1)

In my role at GE/Wurldtech, I spend a lot of time with customers and industry leaders discussing issues related to ICS/SCADA security, which we also refer to as operational technology (OT) cyber security. Over the past several months I’ve noticed a recurring set of questions from customers that I felt needed addressing — practical issues that I believe will help you as you invest in securing your digital future.

Question 1: Are Cyber Security Threats Real?

During the 2016 Security of Things Conference, there was one clear message from attendees: they are appalled at state of security in IoT. Research studies and an increase in media coverage indicate that executives have a growing concern about cyber attacks of all stripes, but increasingly they are concerned with attacks on critical infrastructure.

The Industrial Control Systems Cyber Security Emergency Response Team (ICS-CERT) showed that critical infrastructure in the United States alone experienced a 20% spike in cyber incidents from 2014 to 2015. A study in 2016 commissioned by Wurldtech with YouGov found that over 50% of respondents said they expected to see more attacks on their OT systems in the next 12 months. Most assuredly, cyber security threats are real … and growing.

Digital technologies in industrial settings are enabling a whole new level of performance. The trend I’m seeing in the market is a focus on securing existing infrastructure – assets and equipment that has been in production for years, before security threats were even a discussion. Make no mistake, this is critical. However, there’s an assumption that new equipment being purchased have security built in. This is categorically false.

The pursuit of implementing new technologies to gain competitive advantages is overlooking the need for to ensure new assets are secure. Security is not something you can bolt on, it must be built in … and this is particularly true in the IoT space. Once an asset ships and is implemented, it can be extremely hard to update with security.

Question 2: Who Is Responsible for Implementing Cyber Security?

The “who” in this case is everyone. We all have a role to play in OT cyber security: Whether a person’s role is over people, process, or technology, we are all responsible for driving adoption and implementation.

From our perspective, business leaders need to be ultimately accountable, because OT is primarily a revenue driver — it runs production. That said, operational executives (such as VP of plant operations) should take ownership of cyber security initiatives, but with the understanding that they can’t do it themselves. Most progress is found where there is partnership between OT and IT to drive a holistic cyber security strategy.

In the June 2016 SANS Report, State of ICS Security, researches noticed an increase in roles who were taking ownership of OT security: “Once again this year the largest group of participants hold security administration/ analyst positions (29%). We also saw several encouraging new titles in the ‘Other’ responses, including ICS cyber security program manager, ICS security project manager, IT/OT (IT/operational technology) architect, and director of cyber security for building and facilities systems.”

This is definitely encouraging to see, and I hope this trend continues.

Question 3: What if IT Says They Have Security Covered?

By definition, IT security is focused on protecting information assets … aka data. OT cyber security is focused on protecting process controls, and the critical assets that are driven by those processes. The goal is to protect against unplanned downtime of a critical asset or process due to a cyber event. pro another way, OT is focused on operational assets, where cyber incidents can have physical consequences.

To be sure, loss of data is extremely important, but loss of operation impacts revenue, reputation, and potentially the safety of employees, or even the surrounding community or environment.

Importantly, when you’re protecting data in a traditional enterprise environment, you’ll use a certain set of IT security technologies—like a next-generation firewall, Web and email security, and data loss protection solutions.

But in OT, the tools and technologies are quite different, because the network communications, protocols, and end points are different than what you’ll see in an IT environment. The approach and technologies used to secure these assets must fit the job.

That said, working together, IT and OT can greatly minimize threat vectors that span data and processes.

More To Come

That’s a lot to digest, so I’ll leave here for now. Next time I’ll discuss talent, securing budget and concrete steps to take.