4 minute read 26 Feb 2024
Business people working in server room

Is Operational Technology Security your shortcoming or long-term advantage?

By Roman Haltinner

Partner, Cybersecurity Competency Leader | EY Switzerland

Focusing on all aspects of information cybersecurity and business resilience. Passionate about experiencing nature with his family. Likes reading new scientific books while having glass of wine.

4 minute read 26 Feb 2024
Related topics Cybersecurity Consulting

As digital technology and physical processes converge, securing operational technology (OT) has become a business imperative.

In brief

  • With the focus on maintaining business continuity, operational technology (OT) security goes beyond technology and evolves into a comprehensive strategy that permeates every facet of an organisation. Different stakeholders can contribute to a holistic understanding of the threat landscape in your OT environment.
  • A comprehensive risk assessment will flag risks and identify ways to mitigate threats and vulnerabilities that could impact critical systems.

In an increasingly hybrid world, operational technology (OT) security is no longer just a topic for automation and engineering professionals, cyber security specialists and IT experts. Business leaders, supervisory boards and other stakeholders are also acknowledging the risks associated with poorly secured OT systems for production processes, value chains, products and customers. 

While many companies acknowledge the critical role of cybersecurity in manufacturing and the need for adopting suitable technical and organizational measures to uphold the availability, confidentiality and integrity of OT-IT systems, they frequently encounter the challenge of determining the initial steps, sequencing, and priority areas to embark on this crucial journey. The OT security transformation journey demands a proactive approach that considers the unique challenges of securing industrial manufacturing processes. Understanding the landscape, building collaborative teams and implementing comprehensive cyber security strategies are key success factors, enabling organizations to manage the change while protecting their operations, reputation and growth prospects.

Step 1: Understand the threat landscape

Different stakeholders naturally approach the topic of OT security with their own perspective on priorities. An IT specialist in enterprise IT, for example, will take a different view to an automation engineer or a business representative. Conversely, a site manager will invariably focus on business continuity. Although managing different stakeholders can be a challenge, it is also an opportunity to seek different viewpoints for a realistic and holistic take on the threats your organization is facing.

In the realm of OT security, several established international industry standards are also available to guide companies through their threat landscape exercises, including IEC 62443, the Cybersecurity Framework issued by the National Institute of Standards and Technology (NIST) and good manufacturing practices (GMP).

No standard is likely to offer a comprehensive solution in isolation, but their content can help guide organizations as they examine their individual threat landscape and navigate the various international standards to tailor requirements and measures to their own organization.

Global companies should also assess national and international industry and regulatory requirements to determine which current and future cybersecurity compliance guidelines are applicable to their operations. Regular updates and monitoring of compliance frameworks are essential to ensure ongoing adherence to evolving cybersecurity standards.

Step 2: Identify vulnerabilities and quantify risk

Once you understand the threat landscape, the next step is to assess risks and to identify ways to mitigate threats and vulnerabilities that could impact critical and vital industrial systems. Major threats and vulnerabilities can occur in the manufacturing industry, such as ransomware attacks with malicious software infecting manufacturing systems due to an outdated or unpatched software. Unauthorized access to industrial control systems (ICS) is another significant threat that can arise if networks are not adequately protected.

We recommend the following five steps for a comprehensive and effective risk assessment:

  • Start with an asset inventory

    Before starting your risk assessment, it is important to create an asset inventory and categorize items based on criticality. This will allow you to implement a strategy related to effective security measures and reduce the likelihood of cybersecurity attacks.

  • Identify threats and scenarios

    Identify potential threats to the OT environments of human, operational, technical, or natural order. Tap into the knowledge of existing internal and external stakeholders such as your CISO, IT security team, IT operations team, ICS specialists and security consultants. Then, for each threat identified, create a specific scenario on how this event could happen and what impact it could have on your assets.

  • Perform a vulnerability assessment

    Determine any weaknesses or gaps in the security of OT assets and systems that could be exploited by the identified threats. It is important to consider weaknesses in the technical components of a system (e.g., misconfigurations and errors in code) as well as non-technical vulnerabilities, including aspects like human behavior, organizational processes and physical security measures.

  • Evaluate risks and mitigation actions

    Establish a risk matrix based on the likelihood and the impact of each threat identified for OT assets. This step helps to calculate the risk level and prioritize risks that need immediate action. For each risk identified, a recommendation should be associated to reduce the risk level.

  • Update your risk assessment regularly

    It is crucial that your risk assessment reflects changes in your organization’s environment, technology or threat landscape. As security threats and cyber-attack mechanisms constantly evolve, regular risk assessments are needed to stay on top of new vulnerabilities.

A comprehensive risk assessment should identify key operational technology security risks, particularly those that can directly impact financials, operations, customer satisfaction and regulatory compliance. The results should be seamlessly integrated into and shape the strategic framework of your operational technology security program. This needs to not only be aligned with your organization’s overarching goals but also take into account your risk tolerance. Learn more and prepare for your own OT transformation journey:

Business people working in server room

Your guide to operational technology security in a hybrid world.

Download PDF

Summary

Recognizing the multifaceted challenges posed by securing industrial processes, we advocate for a proactive approach to OT security transformation. At the heart of this is the need to understand the threat landscape, conduct comprehensive risk assessments and align security initiatives with business objectives and risk tolerance. 

Acknowledgement

We thank Eliel Mulumba, Iuliia Simonova, Andrzej Milosz and Poschia Agyeman for their valuable contribution to this article.

About this article

By Roman Haltinner

Partner, Cybersecurity Competency Leader | EY Switzerland

Focusing on all aspects of information cybersecurity and business resilience. Passionate about experiencing nature with his family. Likes reading new scientific books while having glass of wine.

Related topics Cybersecurity Consulting