Influencing OT Security Strategy and Execution When You’re Not the CISO

Summary

For many organizations, cybersecurity ranks among the top five business risks for an organization. This is no surprise, given the cyber incidents reported in the headlines that are putting all organizations on alert. A recent report found that 75% of OT organizations experienced at least one intrusion in the past year.
 
While every employee can act as a first line of defense against a cyberattack, it is often a member of the IT C-suite who owns the security strategy, policy and deployment across an organization. In fact, increasingly, the responsibility for OT cybersecurity is shifting from directors and managers to the CISO–with 95% of respondents to the aforementioned survey anticipating this will happen within their organization over the next 12 months.
 
There are certainly a number of security practices that apply to both IT or corporate environments and ICS/OT environments, but that doesn’t mean everything can, should or needs to be applied to both environments in the same way. It’s important that even as more responsibility shifts to IT that OT leaders still have a say to ensure the application of cybersecurity practices appropriate for their priorities. As an OT leader within an industrial organization, how do you influence security policy when you do not own the strategy? 
 

Navigating the organization and functions

In many organizations today, there are now dedicated, separate teams responsible for OT and IT. Disconnects can sometimes result if the OT team doesn’t think the IT team understands what they do or how their function works.

For both sides of the equation, it’s important to acknowledge the gaps in knowledge. Just as IT leaders need to recognize they don’t know everything about how OT functions, OT leadership needs to acknowledge the same.

However, there are similarities and synergies between the two functions and both sides can learn from each other. If the OT team doesn’t understand the network, in what ways can IT help them understand it? This cooperation will be key to finding some common ground.

Understanding the key stakeholders is also essential, and that’s going to vary based on the company’s size. Depending on the organization, it might be a plant manager of a complex who’s responsible for a set of facilities. There might be a maintenance manager or tech who's responsible for fixing more automated environments within a specific company. Many of the stakeholders are within traditional engineering teams and they're looking at what processes and functions need to operate within that facility.

There’s also a set of process control or automation engineers who take those designs and determine how things need to talk to each other, what the programmable logic controllers (PLCs) need to talk to and so on. Then, there’s the network team that handles traditional IT. They don't necessarily understand all the different layers and communications needed at the OT layer. The security and other teams can help, too.

While there are a number of potential stakeholders that could be involved, the key is that decisions and risks are accepted by the business rather than by one department or team. The business stakeholders need to be educated on how they can make that good risk call.
 

Understanding the dueling priorities

The priorities for the operations side are quite different from the IT side. IT typically focuses on confidentiality. But in environments that have process control systems, availability and safety of services becomes the biggest key and biggest risks that you need to mitigate. For this discussion, let’s focus on availability.  So, when applying the same paradigm of availability to both IT and OT sources, it’s important to discuss commonality. This creates an understanding that every authorization must run through a central system, and if it goes down, everything shuts down.

You can start building that commonality while acknowledging that OT and IT have a different risk profile and different ways of mitigating risk; you can't always apply everything that you have done in the IT world. This will help establish credibility, keeping in mind that availability is their biggest concern.
 

Approaches for navigating change while building consensus

Building consensus involves making sure that there’s a common goal and a common set of strategies and that everyone involved understands those goals. This process starts with one person, by understanding what success looks like for them and finding a way to help them be successful.

By building consensus with an individual and then another and another, leaders can start to build credibility and trust. It will be easier to implement change once that level of trust is established. This will go a long way toward achieving the buy-in to implement the needed processes.
 

Bridging the gap between people, process and technology

Creating a better cybersecurity strategy entails three legs of the stool–people processes and technology. On the people front, training and awareness is one of the cheapest preventative measures, yet some organizations don’t focus on it enough. It's not just training and awareness on good cyber practices or IT hygiene. It's really helping people understand how adversaries think, how they work and the techniques that they use. It’s also about getting training and awareness to the IT and security teams about how business runs and its processes. So, training goes both ways and must be ongoing.

Penetration testing and cyber vulnerability risk assessments are key when it comes to training and awareness. A good penetration test that can test both physical and IT/OT aspects, can show, for example, what intelligence a threat actor can receive through a wireless network or an unsecured platform or something that's not patched the right way. Showing teams the reality of what can happen can make a big difference in gaining the needed buy-in.

Influencing for stronger security

As the importance of cybersecurity continues to grow, organizations must bridge the gap between IT and OT to effectively address the evolving threat landscape. Building consensus and trust among stakeholders, understanding their priorities, and fostering a culture of ongoing training and awareness are critical steps. By embracing collaboration and acknowledging the unique risk profiles of each environment, organizations can establish robust security practices and mitigate cyber risks across the board.