The #1 Risk with ICS Cybersecurity Budgets

A heavy reliance on OT systems is characteristic of the manufacturing industry, but the accelerating digitization trend introduces new and escalating risks. Increased connectivity of industrial control systems (ICS) to the internet opens possibilities for cyberattacks targeting critical systems. A compromised OT system can lead to severe consequences, including production downtime, equipment damage, revenue disruption, and threats to human safety. As such, the protection of these OT systems has become a top priority, essential for ensuring uninterrupted operations and mitigating potential catastrophes.

Yet, achieving this protection is a complex process, starting with the challenge of identifying who owns the OT cybersecurity budget. In most organizations, OT cybersecurity is still a new practice, largely controlled by IT departments. This approach can lead to confusion and
inadequate protection of OT assets due to the IT staff's lack of familiarity with ICS architecture, infrastructure, process, and operations requirements. Despite this, Gartner reports that most organizations remain in the discovery or firefighting phases of OT cybersecurity, with only a few actively implementing and operationalizing security solutions.

Understanding the facility's asset inventory is another crucial aspect of effective cybersecurity planning. Without an accurate inventory, allocating budgets for OT security becomes an uphill battle. The reality is that 99% of organizations are unsure or struggle recognizing (example; HVAC) the number of OT assets they have within their ICS environment, making it difficult to identify potential entry points for malicious actors. Furthermore, only a fraction of organizations have deployed sensor technologies to collect east-west traffic within the ICS, and retrofits for these installations can be costly and fraught with uncertainty. An accurate, up-to-date asset inventory provides a holistic perspective that can help organizations prioritize security efforts, optimize resource allocation, and determine appropriate investment levels.

Organizations must also consider vulnerabilities, monitoring, and access controls in their planning and budgeting. OT-specific vulnerability management programs identify and remediate weaknesses in OT systems, mitigating potential cyber risks. However, achieving this requires a commitment to device upgrades, network changes, and effective patch management.

Real-time monitoring allows for prompt detection and response to potential threats. By implementing Multi-Factor Authentication (MFA) and robust audit controls for remote access, organizations can prevent unauthorized entries and monitor system activities.

Effective communication is also essential for bridging the gap between IT and OT. Advocating for OT cybersecurity investments to management requires highlighting unique risks, presenting real-world examples, and aligning with business objectives. Currently, boards and senior leadership often assume that IT is handling OT cybersecurity needs, which is rarely the
case. A clear articulation of the ROI in OT security can help better allocate budgets and protect critical infrastructure against potential cyber threats.

Federal directives also play a role, though their impact on OT budgeting is still limited. While some regulations for critical infrastructure have been put in place, the majority of the instructions remain vague and lack thorough guidance on data collection and asset inventory
requirements. It's also worth noting that most critical infrastructure organizations are privately owned, limiting the Federal government's control and influence.

Finding solutions that not only address security issues but also support reliability and save operational costs is not only possible, but necessary. This requires applying the same due diligence to secure and protect ICS as organizations do for enterprise-level IT security.

In conclusion, assuming that IT has the OT ICS cybersecurity budgetary needs covered in their existing budget is one of the biggest risks to ensuring adequate ICS cybersecurity. Prioritizing OT cybersecurity in budgeting and planning as a separate line item, is essential for protecting
critical infrastructure and ensuring operational resilience. Organizations must navigate this complex landscape by balancing resources, identifying ownership and responsibility, and implementing proactive vulnerability management.

OT cybersecurity teams can make a persuasive case to management by demonstrating that the IT budget has not historically, nor does it in most cases, adequately cover industrial equipment on the plant floor or critical infrastructure. Emphasizing the significant financial and operational risks associated with unplanned/unscheduled downtime, coupled with financial risks of an adverse cyber event to production, adverse brand impact, and even the risks associated with loss of human life; help put the importance of ICS cyber protection in perspective. As we progress further into this digital era, the stakes are higher, making investment in OT cybersecurity an indispensable aspect of industrial operations.

To ensure you think through the key areas aroundcybersecurity investment requirements for your industrial environment, download our Planning& Budgeting Worksheet for Industrial Cybersecurity & Digital Safety to make sure your bases are covered, or contact us directly for a complementary consultation at