Over the last few years, the majority of large enterprises have come a long way in defining their operational technology (OT) governance strategies and making meaningful advances in risk reduction. Technology innovations aside, the top success factors I’ve observed are the way in which governance programs are structured and executed. Most significant is the guiding principle that organizational structure drives strategy.
What do I mean by that?
In organizations with a significant cyber-physical systems (CPS) footprint (e.g., manufacturing, oil & gas, and pharmaceutical), CISOs and their security teams need to collaborate with OT engineering teams to define and execute the OT strategy. And while most organizations have centralized governance and responsibility for OT cybersecurity under the CISO, the devil is in the details with respect to how they define and implement it.
The details of implementation and how the organization is structured fall along a spectrum – from less to more “control” for the security team. I’ve seen multiple variations work well, and believe the key is having a clear understanding of the boundaries and responsibilities for each team. There are at least three main aspects to consider when redesigning the organization or just working with what you’ve inherited, to create a strategy that allows you to reduce risk effectively. These include budget, implementation, and ongoing reporting.
Budget. Many companies are moving to centralized budget allocation for OT cybersecurity projects, but what that means in practice can vary significantly. You’d be surprised how many answers you can get to the following questions:
• Who owns the budget?
• How easily can you allocate it?
At one end of the spectrum, the budget for OT cybersecurity projects could be just a cost center line item within the security team budget. The risk here is that project rollout is predicated on OT approval and implementation, and the budget might not get allocated within a timeframe that aligns with their availability. At the other extreme, each site holds their own budget which impedes global rollouts and continuity across your attack surface, which makes it hard to govern with consistent benchmarks. Whatever your budget process is, make sure that in practice it supports the decision-making structure and timelines of your combined team.
Implementation. Given the increasing maturity of OT cybersecurity, most organizations are at a stage where they know and agree on the categories of risk reduction they need to implement. The challenges usually come in the actual rollout and implementation. Organizations need to understand and be aligned on the following aspects:
• Who has access (remotely and physically) to the CPS and networks where new technologies are deployed?
• Who architects the deployment and how will the new technology feed into the rest of the enterprise’s security tools?
Success ultimately comes down a very specific set of combined IT and OT skills, which is hard to find. Some companies spend time and effort to cross-train their teams or try to hire externally. Neither is a trivial task. But given the OT cybersecurity talent gap, cross-training might be more time-efficient and cost-effective. It takes someone who understands the operational aspects of the technology and any constraints to be considered when deploying new technology. Making an investment in existing staff provides an opportunity for professional development and creates the added benefit of building relationships between teams.
Ongoing reporting. This is probably the most important aspect. On an ongoing basis you need to be able to monitor the cyber posture of your CPS, overlay that information with the rest of the organization’s cyber posture, and then proceed to investigate incidents. There are a few aspects to iron out when proceeding down this path:
• Who consumes the security telemetry coming from the CPS and networks?
• Is that data then correlated with security telemetry and insights from the rest of the networks?
• How is the data interpreted and who takes action?
Part of the requirement is orchestrating the flow of information and the other part is having a tier of SOC analysts with sufficient understanding of CPS who can triage alerts. When a deeper understanding of those systems and their normal patterns is required, analysts also need access to OT engineers. Connectivity and collaboration are influenced by the organizational structure as well as informal relationships that have been cultivated between the teams.
The most common, effective organizational design I see consists of a small, dedicated team within the security team that is assigned to partner directly with OT engineering and has various degrees of authority in executing changes in the CPS environments (most often indirectly with the help of the engineering team). The typical implementation of this is a “two in a box” model – a security engineer and an OT engineer are jointly responsible for implementation at each site. While formal organizational structure drives OT governance strategy and meaningful advances in risk reduction, a key success factor is the informal relationship between IT and OT organizations. That takes trust and trust takes time, so don’t delay.