No company should underestimate the importance of keeping itsoperational technology online and secure. Nonetheless, OT cybersecurity often gets lost in the shuffle and can easily become a detriment to its ability to generate revenue.
To many observers, OT and IT may be considered one and the same, and fall within the same purview. Take it from us at Velta Technology when we say nothing can be further from the truth.
That’s not a knock against IT. We understand IT functions are essential to managing the business by providing and maintaining digitalsoftware tools that support email, data storage, accounting information, human resource systems, and more.
However, it behooves companies to recognize the essential nature of industrial control systems (ICS) and think about their cybersecurity vulnerabilities in different, more modern terms. Afterall, OT is what helps generate revenue by production of goods, services, power or water. It plays a vital role in fulfilling your company’s mission and meeting customer needs.
This begs the question: why is OT cybersecurity out-of-sight and out-of-mind until an adverse event occurs? Adverse events are becoming increasingly common and access to these networks is becoming increasingly less secure. System shutdowns and physical risks are possible and can be costly whether it’s loss of production, product damage, environmental harm, and even loss of life. Given the potential liabilities, why is OT security commonly an
The answer has everything to do with ownership. Oversight of machine center software falls to OT by default, with IT having little or no defined role involving ICS. It would be a mistake to assume the proper synergy exists between IT departments and OT engineers when it comes to securing and managing ICS systems.
Over many years in this industry, we at Velta Technology have learned that IT is fundamentally unfamiliar with the nuances and requirements necessary to understand and safeguard these critical assets. When we evaluate and scrutinize plant floors for digital safety, we commonly open an OT panel and ask IT personnel a series of basic questions like, “What are you doing to
protect these ICS assets? Do you have an asset inventory showing the technology and equipment installed in the panels across all your plants? Who’s accessing these machine centers and what does their activity entail? Is the access monitored and recorded? What is the primary PLC architecture deployed and why? Who sets these standards?”
Answers to these important questions are hard to come by in nearly every instance. We often deal with OT assets with decades-long life cycles and operate Windows 7 or Windows XP, which by now is foreign territory to IT teams. They can’t tell us who patches and administers these machines, and they certainly can’t derive metrics from any of them.
Here's the bottom line: OT has inherent security vulnerabilities that are far beyond the scope and expertise of typical IT departments. IT are key partners who should have a seat at the table, but they should not be the ones making critical decisions that could potentially leave your OT with GAPS to secure and protect ICS .
The risk to these systems is so pervasive, it’s scary. Someone can simply plug their laptop into an ICS system, and nobody will be notified or made aware this person is accessing the network or ICS systems. Neither IT or OT have any idea if they’re stealing intellectual property, leaving
malware, vulnerabilities exposures or if the laptop is connected to cellular which grants access of this critical space to the outside world. Irrespective of whether this person has malicious intent, all their activity occurs under the radar and is completely undetectable.
The remedy requires a major shift in culture for the purpose of eliciting internal buy-in from the top-down. OT is part of your company’s livelihood and should be treated accordingly. It’s an imperative that must be widely accepted internally and engrained into the fabric of your business. That means getting everyone, from the C-suite to the plant floor, on board with prioritizing OT digital safety.
This requires fostering true collaboration between employees across the company including engineering and plant managers, process control engineers, IT departments, and the senior leadership team. You can only ensure cyber protection of your ICS equipment when these stakeholders engage in meaningful dialog and actively participate in peer groups on all things related to ICS digital safety.
The C-suite and board of directors have the ultimate responsibility for considering OT digital safety from strategic and budgetary standpoints. Investments must be made over time to introduce an OT specific cybersecurity framework, appropriate visibility tools to glean intelligence from the inner workings of your plant floor equipment, and evaluate this data to achieve optimal OT security.
These investments send a message internally and can have a motivational effect on OT engineers as they feel support from upper management, and will be better equipped to take ownership of ICS equipment security.
The critical questions the C-suite should be asking are: "What is the required level of investment? Which areas require the most investment? Over what length of time can we reasonably expect to achieve our OT security goals?" These are difficult but essential questions that require answers. A better question from the C-Suite would be, “Are we exercising the same level of due diligence to secure and protect our ICS (OT Environment) as the Enterprise?”
The picture becomes clearer when you bring in a team of experts with the cross-functional IT and OT experience and deep understanding of the industrial cybersecurity space, like Velta Technology.
Don’t let your OT cybersecurity get swept under the rug or lull you into a false sense of security, because there is a false sense of security that IT is covering the bases with their enterprise security strategy. We have the tools, solutions, and expertise necessary designed specially for OT / ICS to assess, continually monitor, and shore up your plant’s OT digital safety vulnerabilities and needs.
We’ll help you compile an accurate asset inventory, gain continuous visibility into your ICS systems, and give you tools to potentially secure better insurance rates with Velta Technology’s Connected Devices Vulnerability (CDV) Index. This valuable tool is the new industry standard in collecting measurable data points you can practically apply and use to measure progress and improvements around OT digital safety.
Through our Tabletop Exercise, we’ll teach you how to get your internal stakeholders involved and better informed about OT protection and ownership. This promotes open dialog and stronger cross-disciplinary communication, which creates a better understanding of potential threat vectors and reduced operational and financial risks.
Investing in OT security and keeping internal stakeholdersengaged in the process will go a long way toward keeping your industrial manufacturing or critical infrastructure online and operating efficiently, and thus, securing your company’s livelihood and future.