To achieve cyber resilience in OT, speak another language

A group of business people in an office at night

Share This Post

The challenges that operational technology (OT) has faced around cyber security and resilience have come into sharp focus in recent years. Research shows that Australia is actually the most at risk in the world, with 82% of organisations having faced a cyberattack in the past year through their OT systems, and 28.6% having to shut down operations in that time due to a successful attack. 

This is especially concerning given the role that OT plays in the critical infrastructure that we rely on to function as a society. Energy systems, transport networks, government buildings and more have become a sovereign risk that the organisation’s leadership through to governments are keenly aware of. When a cyberattack can result in power outages or access to fuel being shut off, there’s a clear incentive to move quickly to address the problem.

But then there is the other “level” of businesses that make heavy use of OT, encompassing factories, production lines, and other industrial environments. These are critical to the economy but, individually, not considered to be critical infrastructure to Australia’s sovereignty. The problem that these organisations face is that they’re vulnerable without necessarily having the attention and support or resources available to them that critical infrastructure does.

Where The Risk Is Coming From

As the IT and OT environments of these systems become increasingly interconnected, the resilience of both domains becomes intertwined. However, on the OT side of the operation, organisations and their teams typically lack the awareness and support necessary to secure their environments effectively. It is true that in many cases, the IT and OT teams within the organisation are also siloed, without a bridge between them.

However, while this is often cited as a major reason why OT environments are at risk, it is also one that is relatively easy to overcome. A bigger problem is the lack of will to do so. While there is generally an understanding and desire to become certified and comply with the base standards and industry-specific standards within IT, OT is a different story entirely. Standards as basic as ISO 27001 are often overlooked or simply ignored within OT, leaving a significant gap in protection. 

At Excite, we often see resistance to the critical need for alignment with the most foundational sector-based frameworks, such as the Australian Energy SectorCyber Security Framework,   international standards like IEC 62443, and NIST Special Publication (SP) 800-82, Guide to Industrial Control Systems (ICS) Security. 

One of our objectives, then, is to ensure that clients firstly understand the need to achieve compliance with these standards, and adjust their approach to cyber security in OT to meet them. To do that we need to present cyber security as more than a checklist-ticking obligation, but something that truly addresses the risk profile that the specific business has. This is a strategic approach to cyber security that then allows the organisation to embrace innovation in both IT and OT with confidence that it isn’t increasing its risk surface. 

Our success in achieving this highlights why partners are pivotal to helping organisations with OT secure their environments against cyber threats. The partner needs to be able to engage with both the technical personnel and the C-level executives, understanding that each group has its own understanding and priorities with cyber security. 

What is interesting is that the most knowledgeable technical staff can often be the most resistant to external advice, creating a significant barrier to effective consultation. This is why it is crucial to identify and develop “champions” within the organisation; individuals who understand and appreciate the value of cyber security and become the driving force for cyber security initiatives, helping to smooth over resistance and embed a culture of security across the organisation.

Other important techniques to look to the external partner to bring to the organisation to help it overcome resistance to OT include:

  1. Education and Training: Making use of penetration testing techniques to demonstrate where the weaknesses are can be one of the most compelling ways to help the organisation understand its risk profile. 
  2. Framing Cyber Security As A Strategic Opportunity: Ensure that cyber security goals support operational objectives. For example, if operational efficiency is a goal, demonstrate how cyber security measures can enhance system reliability and uptime.
  3. Demonstrate value early: Be able to articulate an ROI on cyber security practices early. This means finding a “low-hanging fruit” in the initial instance to demonstrate what can be achieved by then taking a holistic approach to the whole of environment.

Overall, achieving a secure environment across both OT and IT requires an inclusive and strategic approach to engagement. There will be resistance as long as teams feel like the security steps are restrictive and inhibitive, so understanding where the pain points are and then demonstrating how security can be part of the solution is an important process for both internal and external partners to understand together.

The cyber security threats facing OT environments are only going to become more pronounced over time, as threats proliferate. For those in critical infrastructure, as global tensions escalate, the attacks will become more sophisticated and aggressive, too. Just this week a rare earths mining organisation was targeted and sensitive data was released to the dark web after a Chinese investor was forced to divest their shares from the company.

It follows, then, that the next time Australia becomes involved in a trade dispute or conflict, OT systems in critical infrastructure are going to see another spike in attacks. Now is not the time to allow resistance to cyber security undermine the resilience to the probes of increasingly organised and well-resourced attackers.

More To Explore

cyber-security

Should You Pay The Ransomware Demand?

Ransomware news seems never-ending, but the most recent example is particularly pertinent to the subject: The Indonesian government refused to pay the ransom after a