Recent Searches
In brief
Operational technology (OT) is an essential business enabler for companies that rely on physical processes. Manufacturing, energy and utilities, transportation, and oil and gas are just some examples of the industries that use OT to automate their industrial operations and achieve more efficiency, increased safety and effective controls. The result is higher quality, cost savings and enhanced compliance with regulatory requirements. But as digital transformation – and especially advanced data-driven technology – blurs the lines between IT and OT, companies need to take a step back and consider the bigger picture, including all risks and rewards. This is especially true in a world in which risks can come from outside or within the organization and may emerge at any time in the OT lifecycle.
Against this background, it is vital to understand and effectively manage your OT risk environment. The first step is to perform an OT security risk assessment.
It is common practice to perform risk assessments in industries such as finance, healthcare and energy, as they are critical for managing potential risks and ensuring business continuity and operations. Similarly, risk assessments play a vital role in the enterprise IT context, where companies need to address the growing cybersecurity threats, data breaches and system failures – and defend against them effectively.
In the gap assessment, a company’s current OT security posture, along with existing controls, is compared against a list of recommended security controls such as NIST 800-82 Rev 2, ISO 27001 and IEC 62443.
During the vulnerability assessment, the current patch levels of applications and devices are compared against a list of known vulnerabilities for those specific patch levels. Based on the results of the gap and vulnerability assessments, potential attack scenarios and the risk exposures of system can be more accurately determined.
Risk mapping helps identify, evaluate, and prioritize potential security risks within the OT environment. This process should be performed regularly and is crucial for understanding vulnerabilities, potential impacts and the likelihood of various security threats.
This approach can be applied repeatedly along the operational technology security lifecycle from the design of a future OT/IT architecture, the procurement of OT/IT equipment and the installation, maintenance and decommissioning of systems.
Once gaps in the operational technology security posture have been identified through the assessment process, a deeper analysis is required to assess the associated risks, including the potential impact and likelihood of exploitation.
How EY can help
Discover how EY's cybersecurity, strategy, risk, compliance & resilience teams can help your organization with its current cyber risk posture and capabilities.
Read more
We believe that with the right approach, companies can position themselves to be more agile, efficient and competitive in the market, while minimizing their exposure to risk.
We thank Eliel Mulumba, Iuliia Simonova, Andrzej Milosz, Pascal Winkler, Mundia Lillian Moola Büsser and Abdelaziz Zobairi for their valuable contribution to this article.
Is Operational Technology Security your shortcoming or long-term advantage?
s digital technology and physical processes converge, securing operational technology (OT) has become a business imperative.
In an evolving cyber threat landscape, how do you develop Operational Technology (OT) resilience?
As cyber risks at the intersection of IT and operational technology grow, organizations should focus on ways to build resilience now.
