Shifting operational technology cybersecurity from defensive to resilient

Getting OT security right starts with understanding the assets that are attached to your network. Many of the most significant outages due to a cyber event have come because an organization didn’t know that a tool, an access point or device was still attached to their network and had an exposed vulnerability or an insecure access process. Identifying system weaknesses, monitoring and responding to threats and prioritizing security measures based on potential business impact is key. In the real world, cybersecurity initiatives can improve any number of risk tolerance scenarios, from unplanned outages and undetected quality defects to safety incidents and waste. 

From there, an organization must align OT cyber risk with the business mission. The goal is to reduce the impact of cyber incidents on OT networks and to achieve optimum risk visibility into OT networks to heighten their resiliency. This is essential for the next step: continuous threat monitoring. Knowing what connected systems are in place and understanding the level of risk associated with each component is crucial to making informed decisions about where to allocate resources for the best safeguards. 

Continuous monitoring of the OT network enables organizations to detect potential threats early and to respond swiftly, long before risks escalate into major incidents. Having the right technology in place is critical. But tools are only as good as the people who use them. The highest standard of OT cyber defense is set at the nexus of people, process and technology. CISOs and cyber leaders are best served by teams that understand OT environments and are backed by leading-edge tech and reliable protocols to interpret the data, identify anomalies and heed the signals of potential threats.

High visibility into OT systems also empowers CISOs and plant or operations management to jointly devise a security roadmap that is a comprehensive multi-faceted strategy based on informed decisions. This is especially important because OT networks extend to third parties, exposing the networks to third-party risk. Today, the OT security boundaries include all those externally linked entities, including IT systems. 

This is why impact-dependent prioritization of security measures, asset and process segmentation, and trust taxonomies all feed into the decision-making matrix to reduce risk across a much wider network. And while OT and IT are not at odds, segregating the two can safeguard OT systems from risky IT environments. This calls for a basic recognition of structural differences between IT and OT security needs. Tasked with the same mission – to protect the business, people, and larger societal interests – IT and OT security and business leaders must establish a better exchange of challenges and limitations and collaborate to resolve them. 

In physical environments, safety is paramount. Gaining visibility into OT networks, aligning IT and OT priorities, and taking proactive security measures are essential to protecting these critical systems, core businesses, third parties and bottom lines. The greater the OT visibility, the higher the requirements to remediate risks. Security teams, operational and engineering teams, and business leaders need to work closely together to build on proactive measures and maintain a posture of response readiness across wider OT environments.

The views reflected in this article are the views of the author and do not necessarily reflect the views of Ernst & Young LLP or other members of the global EY organization.