Woman with digital glasses on in the dark

Improving OT cybersecurity: Guidance for industry leaders

By: Raj Batra, President, Digital Industries, Siemens USA

Historically, organizational focus on cybersecurity has occurred within Information Technology (IT). That’s where all the data was, right? 

 

Now, however, we are bringing the physical world online through automation and digitalization, combining the IT world with the Operational Technology (OT) world in completely new ways. And there’s risk alongside the reward of doing things faster, more cost-efficiently, and more sustainably than ever before: overlapping IT and OT expands the attack surface for cybercrime. 

 

Cybersecurity for OT involves matters that we have not had to consider in IT. As we network our machines, production lines, buildings, and factories we must understand that a cyberattack on OT doesn’t just attack data—it also impacts machines and infrastructure. That impact can have major ramifications for production, supply chain management, and customer fulfillment. In a striking prediction, the tech-research firm Gartner has said that within three years, cybercriminals could successfully weaponize OT assets and environments to such a degree that they could threaten human health and safety.

 

Now is the time that leadership must promote a culture of awareness about OT cybersecurity and take action to build responsive programs. Across the board, companies large and small must understand the importance of OT cybersecurity and devote at least at the same level of urgency to it as they have done with IT cybersecurity, enabling both IT and OT to fulfill their cybersecurity needs and responsibilities. 

Now is the time that leadership must promote a culture of awareness about OT cybersecurity and take action to build responsive programs. Across the board, companies large and small must understand the importance of OT cybersecurity and devote at least at the same level of urgency to it as they have done with IT cybersecurity, enabling both IT and OT to fulfill their cybersecurity needs and responsibilities.

This is a call for industry leaders to step forward with a comprehensive cybersecurity plan as part of their digital transformation. I would like to suggest that it breaks down into four high-level efforts. 

 

Develop a formal, dynamic OT-focused cybersecurity program

 

Executive leadership must emphasize and allocate resources for the creation of an OT-focused cybersecurity program.  

 

Your operational technology merits at least as much of a documented, continually improving cybersecurity program as your information technology. This requires an understanding of the digital landscape specific to OT, which differs a good deal from IT. Input from the OT community will be central to the development of the program. While they are not necessarily familiar with the IT language of cybersecurity, they’ll know where the key vulnerabilities are and what kinds of resources need to be allocated to achieve basic, intermediate, and advanced protection measures.  

 

Promote IT/OT alignment and collaboration

 

It is common today to hear about IT/OT convergence. I think that oversimplifies the situation. 

 

Though both IT and OT are digital, the data that they generate, the uses of that data, and the ways in which they consume and transmit data are quite different. Consequently, OT networks have different points of vulnerability to be managed, and different consequences in the event of a successful attack.  

 

The OT world consists of hardware operating in real time to create physical products. A disruption could immediately lead to enterprise-threatening outcomes. A cyberattack on OT can result in unplanned downtime, missed order fulfillment, physical damage to machines and, most importantly, product adulteration and/or injury to personnel. 

 

The IT world deals predominantly in reactive and analytical data—intellectual property, personnel data, financials, and internal communications. An attack can threaten the enterprise just as profoundly, but the breach and its consequences may not be as immediately apparent. 

 

While IT and OT face different challenges that cannot be solved through a single cybersecurity approach, they each provide attack surfaces that could be exploited to reach the other. So the best solution is an IT/OT collaboration. This process starts with all stakeholders understanding and agreeing upon the nature of the risks, the methods of detection and response, metrics, communication of threat response and assessment, and the specific needs and differences between key IT and OT assets and processes. The collaboration must also define the IT and OT tactical responses to cyberthreats and clarify how these might overlap, affecting cooperation, coordination, and each unit’s specific data requirements and controls.  

 

Ultimately, a well-formed collaborative cybersecurity plan should result in an operative agreement between IT and OT that clarifies their individual and shared cybersecurity objectives, requirements, and responsibilities. This is essential to supporting the complete digitalization of industrial enterprises, and is typically new collaboration territory for OT and IT leadership.  

 

Recognize that OT cybersecurity needs a digital ecosystem to thrive 

 

While I’ve outlined cybersecurity priorities for OT, I also want to point out one of the clear security benefits that come with digitalization: Embracing the Industrial Internet of Things (IIoT) and moving data to the cloud can be used as a security asset for protecting data.  

 

Data can truly be safe in the cloud because it operates with significant security capabilities that can respond very quickly to threats, and that are also evolving as threats evolve. As companies digitalize, they must make smart choices about data partnership and who to entrust to operate the cloud services that they want to use. The message here is: be informed so that you get the cloud security performance you want for the level of connectivity you need.  

 

Additionally, when you add digital twin technology and simulations to the IoT and the cloud, you create a very powerful security ecosystem. That’s exactly the ecosystem OT needs, because you can’t defeat an enemy you can’t see. Networking your operations connects OT to data analytics that in turn enable companies and operators to see critical data and gather insights in real time. This gives them visibility into the virtual side of the operation, from beginning to end, so they can truly own the operational side of the business.  

 

Build a true risk-management approach into OT 

 

At the highest level, there are four key areas of comprehensive risk that must always be accounted for: quality risk, production risk, reputational risk, and personnel safety risk. These might be OT risks, but they have relevance for the entire organization.  

 

Thus, implementing a number of standards-based best practices can quickly and significantly improve OT cybersecurity. These would be segmentation (dividing the whole network into controllable subnets), comprehensive backups, and individual passwords at the administrative, engineering, and user levels. Put into practice early in the development of an OT cybersecurity plan, they can create basic yet quite strong layers of a Defense in Depth (DiD) strategy, which correctly covers plant security, network security, system integrity, and preparedness for recovery. Then, the OT cybersecurity program can start identifying and mitigating the remaining gaps with a true risk-management approach. 

 

What I’m describing here is new territory for most executive leaders, because most managing boards and C-level executives don’t have much visibility into the cybersecurity posture of their critical manufacturing networks and systems. This is due in part because the current metrics reported by most IT teams do not include anything about manufacturing networks and assets, given the IT-OT divide mutually established over the last 20 years. That divide must now be reconciled if we are to manage the cyber risks that OT faces. 

 

Published: June 23, 2022