In today's interconnected business landscape, ensuring safety, security, and risk awareness across the organization has become paramount. But when it comes to prioritizing operational technology (OT) security, leadership tends to fall short. Executives are predominantly concerned about financial matters and short-term gains, so they often lack awareness about the long-term risks and consequences of poor OT cyber hygiene. With competing priorities such as market competition and regulatory compliance, OT security can easily get overlooked.
Moreover, board members may not possess technical expertise, making it challenging for them to even grasp the importance of prioritizing OT security. If a company hasn't experienced a major security incident, board members might also assume the company has a low risk to exposure. So what can security teams do to flip this script?
The answer lies in unifying people, processes, and culture for OT security. Human actions can introduce vulnerabilities, but well-defined processes ensure consistent security measures. Cultivating a strong security culture and addressing insider threats help mitigate risks and foster a proactive security mindset in OT environments. To bring these principles together, board leadership must take five comprehensive steps:
- Build an operational resilience program.
Businesses must integrate safety, security, and risk considerations around OT into their core operations. This requires awareness and involvement from all stakeholders within the organization, aligning their functions with the overall business objectives. By establishing an operational resilience program, decision-makers can proactively manage risks and drive a culture of safety and security across the enterprise. But the board itself must take decisive action to bake an awareness of operational risk into the entire enterprise.
- Leverage security frameworks and contextualization.
Once the company recognizes the need for an operational program, assess and leverage security frameworks such as the ones from the National Institute of Standards and Technology (NIST) and the International Electrotechnical Commission (IEC). These frameworks offer comprehensive guidelines, best practices, and standards tailored to the unique requirements of OT environments.
By aligning with NIST and IEC frameworks, organizations can gain valuable insights into the maturity levels of their security measures at any time. This understanding lets them contextualize operations and exposure, and enhance their risk mitigation strategies effectively. It’s also important to implement a Cyber Security Management System (CSMS). A CSMS offers a comprehensive view of risk exposure, which lets businesses assess and manage complex security challenges effectively. It’s especially crucial following significant attacks such as the Colonial Pipeline breach, as it empowers governance, risk and compliance professionals to offer valuable input to executives so they can make informed decisions.
- Address safety and security gaps.
With the growing digitalization of operations and increased connectivity across the supply chain, businesses are collecting more data than ever to enhance their security solutions. The team needs to boost visibility into the organization's assets, including OT systems, equipment, and infrastructure. However, despite having this increased insight, organizations often struggle with actual risk mitigation measures.
To bridge this gap, decision-makers must invest in enterprise management solutions that offer a comprehensive and strategic response to security gaps. These products align data collection practices with security objectives and integrate them into the overall management of the organization. By doing so, businesses can address safety and security gaps more effectively and enhance their risk mitigation efforts throughout the supply chain.
- Foster stakeholder engagement and build a security culture.
For OT security to become ingrained in the enterprise, businesses must foster collaboration and involvement among stakeholders. Just as safety culture mandates specific actions (reporting incidents, conducting inspections), we need a similar level of commitment for security. Whether it’s establishing a clear reporting mechanism for identifying vulnerabilities, or encouraging collaboration and knowledge sharing, stakeholders must play a major role. By actively engaging stakeholders and integrating risk, security, and safety considerations, organizations can create a culture where leadership views security as continuous and aligned with agile business processes.
- Develop a systematic approach with contextual decision-making.
A systematic approach to OT starts by giving stakeholders a holistic understanding of risk, security, and safety, enabling them to evaluate decisions from a comprehensive perspective. Decision-makers should strive for this type of approach that provides context across the entire enterprise.
By integrating safety, security, and risk into the fabric of the business, decision-makers can drive operational resilience and protect the lives and assets that depend on their OT systems. Leveraging relevant frameworks, involving stakeholders, and fostering a culture where safety and security align are critical steps on this journey. Once these steps are taken, organizations can navigate challenges and make informed decisions that prioritize OT security and drive operational excellence throughout the entire enterprise.
Michelle Balderson, global security executive and OT security evangelist, OTORIO