Top view at night on an oil refinery showing cyber-physical OT security of critical infrastructure

How We Will Win the Cyber-Physical Battle for OT Security

With each passing day, the threat of attacks on critical infrastructure elements grows larger. Independent bad actors and state-sponsored cyber attackers alike are well aware of the potential impact that another Colonial Pipeline or a successful power grid attack could have. When critical infrastructure is the target, communities, economies and civilian lives are all on the line. Even more concerning, many of these facilities are unprepared to face the threat.

Although headlines about attacks on supply chains and critical infrastructure have dominated the news as of late, the stage for the cyber-physical war was set years ago when industrial environments integrated connected systems into their assets. These devices helped modernize industrial sites, but they also expanded attack surfaces, opening once-closed critical infrastructure sites and the companies that manage them to attacks from threat actors who are well-versed in infiltrating connected systems. With this shift accelerating rapidly, it is time that businesses face the threat head-on by tackling the threat landscape and taking the necessary steps to correct course.

Refocusing on OT

The increase in cyber attacks on OT systems we’ve seen in the past few years isn’t without reason. Attackers aim to hit companies where it hurts and OT security breaches can deal devastating blows to safety, revenue, operations, and brand reputation and can also lead to serious legal ramifications. Attackers are seizing the opportunity to get bigger headlines, larger payouts, and more significant impact through these attacks, which means companies need to shift their focus from IT to both IT and OT systems.

The past few decades have seen cybersecurity programs focused almost exclusively on protecting data in IT environments, but industrial enterprises that want to safeguard their assets cannot continue to conduct business as usual. Attackers are reimagining their methods, prioritizing cyber-physical attacks over data leaks and breaches. The security tactics that work for IT networks do not translate seamlessly into OT environments and organizational efforts to protect those environments will reflect the changing attack landscape reality in the coming years.

That said, most businesses want a single, unified team handling their cybersecurity needs. Due to the emerging focus on OT cybersecurity, companies are realizing they’re not prepared to tackle OT challenges. Fewer cyber professionals have the extensive OT experience needed to implement effective programs, but the need for OT protections is growing rapidly. As such, companies will face a choice: get their IT professionals up to speed (and do it quickly) or turn to external partners with OT cyber experience to build out capabilities.

The takeover has already begun. Companies are restructuring their cybersecurity teams to focus on OT concerns and that trend will continue. CISO roles are already evolving to address OT threats more thoroughly and OT is becoming the priority for boards awarding funding to cybersecurity programs. These trends are likely to accelerate as the industry works to address the ongoing threat to cyber-physical industrial environments.

OT technology requires expertise

When OT cyber attacks came to the forefront of the public consciousness, companies assumed they could apply the same remedies as they did for IT cyber concerns: They invested in monitoring solutions to alert of possible vulnerabilities or breaches. However, the OT space is highly specialized and companies often lack the necessary expertise to put those solutions to use. They assumed their existing teams could understand and apply the data collected by the monitoring system—and they assumed wrong.

While many of today’s monitoring systems are very good at what they do, they’re just (as one power and technology executive put it) “expensive paperweights” without the experts and domain knowledge to turn the raw data into actionable intelligence. Unfortunately for critical systems operators, there aren’t enough people with that expertise to go around. That limited talent pool will make technology sales without services difficult for small and large businesses alike. Organizations of all kinds are already running into trouble staffing in-house OT cyber teams. It’s a round-the-clock undertaking that demands constant innovation.

Managed security service providers (MSSPs) are shifting the market away from the technology-only solutions toward a services-based approach. Technology companies will need to form strong partnerships with MSSPs to offer customers access to top-of-the-line managed services supported by best-in-class products, customizing the solutions to client needs. This will allow MSSPs to select, install, manage and operate an OT cyber solution, providing an efficient and cost-effective way to fill the OT cyber talent gap while leveraging industry-wide insights that in-house programs can’t access.

The market drives all

Governments around the world are responding to the surge in OT attacks by increasing and expanding regulations. Although this helps bring OT cyber into focus for business leaders and sets some minimum standards, it is not nearly enough. Put simply, you can regulate your way to compliance, but you cannot regulate your way to security. Regulations, by their nature, enforce a minimum standard across a broad range of companies. They are also focused on if you do something, rather than how well you do something.

The market drives business. Top line. Bottom Line. Competitive advantage. Stock value. These are the kinds of drivers that motivate companies to their best. You’ll never hear a board of directors say, “let’s do the most we can in OT cyber because the government wants us to.” However, if a board sees their stock price go down because they had a poorly rated OT cyber program, you can bet they would quickly become experts in all things OT-cyber-related. Have a company lose a proposal bid because their competitors have better cyber and you will have the heads of sales and operations demanding a world-class cyber program.

Cyber attackers have high motivations that range from financial gain to political and ideological drivers. Companies can’t keep up if the motivation is “the government told me to it.” Attaching OT cyber to how companies make money and how they compete is the only realistic way to compel them to keep pace.

What now?

The battle for the world’s critical infrastructure began quietly and it began years ago. It’s well past time that companies within the industry take meaningful steps to safeguard their assets against bad actors looking for payouts, especially as the realities outlined above come into stark focus. Enterprises can no longer rely on IT programs to protect their operations from hackers’ ever-advancing techniques. The battle for OT is already raging in the operations, networks and equipment of the industrial sector.

Unfortunately, many companies are flying blind when developing techniques for protecting their OT assets. They don’t know where to begin. OT cybersecurity programs are new, so many organizations will start the process with the OT basics, like asset management, vulnerability management and monitoring. Those who have already started the work will need to pursue higher-level actions like developing an incident response plan, resolving lingering OT-IT conflicts, investing in more advanced programs and engaging in coalitions focused on collective defense within industrial sectors.

When industrial environments integrated connected systems into their assets, attack surfaces are expanded, opening once-closed #criticalinfrastructure sites and the companies that manage them to attacks from threat actors. #OTsecurity #respectdataClick to Tweet

Overall, though, businesses with OT environment need to worry less about where to start and worry more about starting at all. Assessing baselines and setting goals is the easy part, the hard work is what comes next: actually doing it. The best thing companies can do to get their OT cyber programs off the ground is to invest the resources and get started. With so much on the line, it’s imperative that all organizations within the industrial sector—regardless of their size or ongoing IT cyber efforts—take steps to join the fight on the OT battlefield.