Operational Technology (OT) security is making headlines. Awareness of the topic is higher than it’s ever been. Yet we still see organizations get stuck when trying to move forward with their OT investments in people, process, and technology. Often the hurdles they face are really misconceptions about what they should do. Below are four common myths that trap organizations into inaction, and advice on how to move forward.
Myth 1: We need an asset inventory before we can do anything about OT security.
The intent behind this isn’t all bad. Proponents will say “you can’t protect what you can’t see” which is hard to disagree with. The trouble comes when the artificial dependency is created in a way that keeps any other program development or security initiative from moving forward. In my experience, very few organizations and industries are willing to make the investment needed for a 100% complete OT asset inventory. Therefore, take what you have, make investments to improve, embrace continuous learning, and move asset inventory forward in parallel with other efforts.
Myth 2: We need all our OT business units to implement X technology for Y security purpose.
Too many organizations get hung up on a technical dependency, such as a specific architecture, a visibility tool, a firewall, a future operational system upgrade, or even just a ticketing system. If you wait for planetary alignment, especially in large, complex organizations, you are likely to create an artificial dependency. Be ready to accept technology diversity and heterogeneity while you make improvements.
Myth 3: We need full network and security visibility into our OT systems before we can move forward.
While we certainly advocate for as much visibility as possible, this too can be a hang-up for some organizations. Now you may be saying, “wait just a minute… we’ve been talking about the need for more OT visibility for years and now you’re going to tell me to hold off?!” Not exactly. One security leader I spoke with who has multiple business units and a significant OT footprint shared his approach: When building our program, we looked at what could be accomplished in three years. Anything longer than that and the planning seemed too long of a horizon. This forced us to prioritize what to include and exclude, which meant some environments did not get included in the first phase of the OT visibility/asset/detection tool. But they didn’t hold up the rollout to priority environments and construction of our overall OT SOC and OT security program.
Myth 4: We have no control or influence over OT systems because of <insert reasoning here>.
No organizational influence. Production operations rule the decision-making process. Our vendors won’t listen to us. We have no political capital. Those systems are isolated. These are a few of the reasons we have heard for not moving forward. Many CISO organizations know that sooner or later they will be held accountable for OT security. So start building those relationships, start understanding how production operations work, start engaging with the vendors and engineering processes, and make sure you understand how your OT systems are connected. The old excuses will not survive in the end, no matter your organization’s current climate.
OT security is a complex journey and we often help our clients navigate investment prioritization—we understand not everything can be done at once and business decisions must be made along the way. Just make sure that as you navigate these decisions you don’t get stuck by any of the aforementioned myths.
Need help building your OT program and OT network monitoring, detection and response strategy? Find out how our OT Cyber Fusion Center can help you test, validate and scope the right solution for your business.
By Jason Holcomb
About the author: Jason Holcomb is Security Innovation Principal Director, OT Security, Accenture.
This article originally appeared at https://www.accenture.com/us-en/blogs/cyber-defense/ot-security-setbacks and is republished with permission.
