Recent global events have convinced us that digital transformation is here to stay and, in fact, accelerating. Companies that had already begun to embrace digital transformation were able to adapt more quickly to disruption and demonstrate greater resiliency. Now that the initial rush to support a shift to a more distributed model is behind us, we have an opportunity to pause and consider what work still needs to be done to further resiliency. For the 45% of Fortune 2000 companies in industries that depend on operational technology (OT) networks to run their business, it’s likely time to revisit IT risk management and governance and determine how to include OT networks.
Looking at governance and processes holistically can be a challenge for various reasons. To begin with, IT and OT teams prioritize the three principles of confidentiality, integrity, and availability (CIA) differently. The teams that manage information security typically prioritize confidentiality of data over integrity and availability, whereas the teams that run OT networks prioritize availability (or uptime) over integrity and confidentiality. This difference tends to overshadow the fact that both teams share the same desired outcome – risk reduction. We can respect those priorities by employing different approaches and different tools as we work toward a common goal.
Another area that presents a challenge is the different way in which organizations, versus adversaries, view IT and OT networks. Organizations tend to think of these as separate networks, whereas adversaries don’t see things this way. To them, a network is a network, so attacks are intertwined. NotPetya is a prime example of an attack devised to spread quickly and indiscriminately across an organization. While OT networks were not the primary target, the accidental spill-over of NotPetya from IT to OT networks was a wake-up call that we must think of these networks as one and strive for a consolidated picture of our technology infrastructure.
Learn more about industrial threats at SecurityWeek’s 2020 ICS Cyber Security Conference and SecurityWeek’s Security Summits virtual event series
A more secure digital transformation journey begins by embracing the differences between IT and OT networks. It’s very challenging for OT professionals to play catch up and close the 25+ year IT-OT security gap. The combination of legacy devices, many more attack vectors, and opportunistic adversaries creates a perfect storm situation. But we can’t let this deter us. In fact, because OT networks have no modern security controls, we have an opportunity to start with a clean slate and build an OT security program from scratch. There is no need to recreate the complexity of the IT security stack with 15+ security tools and embark on lengthy projects, like physical segmentation, which take too long and often aren’t effective or necessary.
OT networks are designed to communicate and share much more information than is typically available from IT components – the software version they are running, firmware, serial numbers, and more. OT network traffic provides all the security information needed to monitor for threats and can fuel playbooks that will fulfill multiple security controls. With a single, agentless solution for asset visibility and continuous threat monitoring that can be implemented quickly and integrated into IT systems and workflows, we can start to close the IT-OT security gap without risk to productivity or downtime. IT and OT teams can work together, leveraging visibility and continuity across the attack surface to govern OT networks with the same processes and reporting metrics.
Digital transformation is a necessity and, increasingly, Fortune 500 companies have the support of their board of directors and budgets to reduce risk to their OT networks. Fueled by these two imperatives, along with purpose-built OT security technologies and holistic risk management and governance practices, IT and OT teams can continue their great work of the last few months and drive toward a more secure, digital future.