OT security goes beyond a regulatory need

A sea change in regulation

In 2020, the maker of popular IT monitoring and management software revealed that it had been the target of a years-long cyber attack. Malicious actors had penetrated the company’s systems and sent out a patch for the software that seemed legitimate but opened the door to threats. About 100 companies and government agencies that ran the platform, including the Pentagon, were compromised. In late 2023, the SEC sued the CISO of the software maker, alleging that they understated or failed to disclose known risks. It was a landmark case that rattled cybersecurity functions across the nation and heralded the beginning of a new era of expectations for CISOs.

Just months before, the SEC issued new rules for companies to report on their ability to protect the business and demonstrate the materiality of cyber incidents and risks. In short, the agency wanted investors to be better equipped to understand what businesses were doing with regard to cyber and the potential risks.

CISOs now must bear the responsibility to come up with processes for materiality disclosures for cyber events — including not only breaches but also a fire in a data center, for example — which must be revealed within four days. Now, an attack like the one against the fuel pipeline company must be reported as a material loss, accounting for the lost revenue and/or sales. In some cases, the number of customers impacted must also be demonstrated.

Operational Technology Management

Our EY teams can help your business transform your operational technology environment.
Read more

OT, the overlooked second cousin to IT

Effectively coming to terms with these new materiality requirements forces CISOs to focus more intently on OT than ever before. Everything that companies do within OT centers on the business mission, historically either producing and delivering a commodity (such as power, water or gas) or manufacturing a product. Each aspect therefore has materiality dimensions.

However, OT systems are unique from a cyber perspective in that they require different policies, processes, procedures and tools than IT. While similar security and risk management processes to IT can be leveraged, OT risks and active threats must be mitigated differently and require different knowledge. Yet, compared to IT, OT has always been seen as outside of the core mission of the business and is treated as less of a priority, overlooked when decisions are made and budgets are set.

IT typically “owns” the cyber budget, with visibility only into the limited number of systems in the OT space that also overlap with IT. This misses the entire Industrial Control System/SCADA architecture or automation systems. And KPIs in the plants, for example, compound the issue, as cyber implementations and security can be seen as hurdles preventing greater efficiencies. Historically, our clients purchase some technology to fix an issue — but it is a patchwork solution that isn’t integrated into a broader program that is more holistic, manageable and auditable.

As a result, CISOs face challenges in meeting the materiality demands presented by recent regulations. While commodities and products are easily correlated to their monetary value in a sales function, for example, that linkage is virtually nonexistent in cybersecurity, especially in OT. CISOs and CIOs may understand the “crown jewels” of their enterprises, but they are programmed for implementing controls and hardening defenses across the organization — to do as much as possible amid perennially strained budgets. They view the problem through the lens of technology, not business impact.

What to do

As OT cybersecurity matures in our increasingly connected world, CISOs must lead the shift from vulnerability management for critical systems toward a more holistic prioritization of cybersecurity risks that are driven by an organization’s mission and objectives. OT cybersecurity cannot remain an afterthought in budgets, relying on quick fixes or ad hoc upgrades as it’s impossible to tackle full-scale needs.

SEC materiality regulations can help orient this focus around risk to revenue. You no doubt have dashboards through which potentially dozens of cyber alerts are visible — for instance, highlighting a risk that may develop at a point in a manufacturing production line, or that could take down a mail server or an entire environment. But do you know what dollar amount to affix to that risk?

CISOs have an opportunity to evolve a traditional security operations center (SOC) into a risk operations center (ROC), aligning OT cybersecurity with business risks and combining them with real-time visibility, enabled by artificial intelligence and other emerging technology. Organizations are thereby equipped to predict business risks in real time, while quantifying and justifying cybersecurity’s return on investment — driving and leading the business transformation for entire organizations beyond cybersecurity.