Hongkong at night from above

How to land a successful operational technology security transformation

Are you preparing for an operational technology (OT) security transformation? Here’s what you need to know.


In brief

  • Most OT security transformations will fail if two key components are overlooked, but this can be easily avoided if the correct measures are taken.
  • Security leaders must plan for OT security programs with future governance and management of OT security architecture needs in mind.

In today’s converging and hyper-digitized industrial environment, organizations – more than ever – need a forward-looking security strategy to ensure that rapid and wide transformations go as uninterrupted as possible from a cybersecurity perspective.

Those strategies are usually organized under security programs that effectively deliver new technical, organizational and procedural capabilities and ensure continuity of industrial processes and organizational resilience. All of these efforts are taken to allow the business to focus on delivering maximum value to its shareholders and customers within an acceptable risk level.

 

Implementation of security programs in the legacy and heterogenous OT environments typically take a lot of effort and resources. It is important to ensure that the efforts spent during security program execution will not degrade over time once an organization moves to day-to-day operations.

OT security ingredients

Two missing ingredients in implementing and maintaining OT security transformation programs

1. Strategic business alignment and risk-based decisions

One common trap that organizations must be careful not to fall into, when implementing OT security programs, is to focus on short-term gains or to consider technical gaps from assessment reports as checklists to be “ticked off”. There is still not enough strategic alignment from OT security to understand what businesses really need nor a real risk-based approach to security implementation and operations.

One reason for this is that the information technology (IT)/OT security governance and target operating model topics are often treated with reluctance. Meanwhile, they remain a critical element to help make the security, OT and IT operating model changes stick to the future organization.  

2. IT/OT convergence and service-orientation in OT

Another pitfall in OT security efforts is the limited ability to successfully integrate IT and OT functions. The main cause for this is the historical differences in how IT and OT technologies were managed and maintained. The increased integration between IT and OT technologies allows for a new service-oriented approach to how infrastructure and security services are designed, transitioned and provisioned to OT asset owners and engineers.

Extending current enterprise IT services to OT areas may not always be feasible or viable, especially when OT configuration management database (CMDB) is often not developed or regularly updated. However, the OT service management model seems to have the most success when IT and OT teams join forces to enable their businesses to operate in a more modern and digital way.

Steps for success

Organizations seeking to successfully implement OT security programs must ensure they:

  • Implement a target OT security governance model with organizational structures, policies and procedures early during the program
  • Closely involve all parties in the organization from across security, OT as well as IT, during the period where the target operating models are defined
  • Continuously extend IT service management functions towards OT areas, enabling more integration, convergence as well as standardization of infrastructure and security services
  • Build foundations for future OT service management by implementing OT CMDB and OT asset management processes

Summary

To successfully implement an OT security transformation program, organizations must prepare for future governance and management of their targeted OT security architectures. They also need to consider their organizational structures and ensure that all parties involved have an integrated role to play.

About this article

Contributors