August 15, 2023 Shifting OT’s Security Responsibility

A new report shows 95% of organizations are prioritizing OT cybersecurity by assigning responsibility to the CISO.

By Willi Nelson, field CISO for OT, Fortinet

Cybersecurity in OT remains an uphill battle. As organizations deal with an ongoing skills gap, along with continued IT-OT convergence, OT organizations are continuing to prioritize cybersecurity. That’s according to the findings of the 2023 State of Operational Technology and Cybersecurity Report. The fact that almost all participating organizations (95%) intend to assign the responsibility for OT cybersecurity to a chief information security officer (CISO) rather than an operations executive or team at some point in the coming year is a significant indicator of this prioritization.

Let’s look at how shifting security responsibility to the CISO will benefit OT leaders.

Exploring the latest threat landscape

It can’t be overstated: because more companies’ OT environments are internet-connected now, protecting OT systems is more important than ever. Even while IT/OT convergence has many advantages, sophisticated and disruptive cyberthreats are hindering it. These attacks increasingly focus on OT environments. In fact, by some accounts, manufacturing specifically was the most targeted sector for ransomware-based attacks in 2022.

While there has been a general drop in intrusions – the result of fewer insider breaches – while malware and phishing remain significant concerns, up 12% and 9%, respectively. However, this might be due to attackers using a more focused strategy rather than to a decrease in cyber risk. Still, 75% of those who responded to the Fortinet survey reported having at least one breach in the previous 12 months.

Adding to the challenge of IT/OT convergence, organizations are also grappling with a proliferation of point products and solutions. This can make it harder to implement and uniformly enforce policies throughout the converged IT/OT landscape. Having a unified security strategy would be advantageous here.

Another significant finding of the Fortinet report was that the percentage of participants who believe their firm has the highest level of cybersecurity maturity has decreased from 21% to 13% over the past year. This change in the data tends to suggest that OT personnel now have a more accurate self-assessment of their company’s OT cybersecurity capabilities. It also speaks to the need for a cybersecurity leader such as a CISO to oversee and augment those capabilities.

Shifting responsibilities

The old separation of OT and IT that historically persisted is being broken down in many organizations – and to meet today’s security needs, OT security isn’t just being left up to OT professionals. That’s why it’s moving under the umbrella of the CISO for many organizations. In almost all companies, the chief information security officer (CISO) – rather than an operations executive or team – is in charge of OT cybersecurity.

The aforementioned report found this isn’t just happening at the leadership level. OT cybersecurity experts now come from top positions in IT security as opposed to product management. Decisions about cybersecurity are increasingly being influenced by executives rather than operations. This contrasts with last year’s findings, in which we saw that OT security was still being largely owned by lower-ranking professionals.

Why OT security strategy is pivotal

This is a step in the right direction. OT cybersecurity now has the consistent attention of leadership teams and C-suites. Based on the survey data, OT security strategy should be a CISO concern due to these factors:

• Visibility is not centralized: An organization’s network is far more vulnerable when OT actions are not centrally visible. This lack of concentration can make any firm more vulnerable to increased OT security threats. Just 52% of participating firms can monitor all OT actions from their security operations center (SOC).
• Point-product security gaps: Although OT security is steadily getting better, many firms still have security holes. According to the report, the great majority of businesses secure their industrial devices with products from two to eight security providers. Many of them may be using from 100 to 10,000 devices. Any IT security team managing many unintegrated OT security products would be challenged by this complexity.
• Responsibilities are unclear: As previously noted, survey participants report that the CISO is not always in charge of OT security at their company. You are rolling the dice if your OT networks are not being protected by a security professional. Actually, many companies are likely to suffer because just 15% of respondents claim that their CISO is in charge of OT security.
• Negative business outcomes: OT attacks can have a major effect on an organization’s financial health via reduced productivity. According to the survey, almost 50% of the firms had a service outage that negatively impacted their productivity, and 90% of those incidents required a substantial amount of time and effort to rectify. Additionally, more than 30% of participants claim that their companies have suffered setbacks in terms of income, data loss and compliance – as well as reputational harm to their brands.

Shifting to stronger security

There’s good news in all of this – we’re seeing a heartening uptick in attention being paid to OT cybersecurity. This change offers the benefits of increased leadership attention and centralized visibility. The above-noted challenges underscore the fact that placing OT security strategy within the CISO’s purview is the logical evolution in organizational safety.

Willi Nelson joined Fortinet as the CISO for Operational Technology in August 2022. He brings more than 25 years of experience in information security working across industry verticals such as healthcare, telecom, financials, manufacturing, and life Sciences.  

Most recently with GlaxoSmithKline (GSK), he established and directed the Global OT Infrastructure Security team charged with monitoring and protecting the OT assets for GSK. Globally, the team deployed 43 additional controls across the OT landscape assessed against NIST CSF and aligned business units to embrace a unified model for security, incident response, and risk reporting. During Willi’s tenure, he also oversaw the creation of the Security Organization and the Global Cyber Defense team for GSK’s Consumer Health startup (now called Haleon). Beyond building and leading the OT and Consumer Health security teams, he led the security team responsible for Cloud transformation for both IT and OT. Willi relies on a pragmatic and systematic approach to achieve company goals while also maturing the organizations and teams he leads.  

Willi is a graduate of Rockhurst University in Kansas City, MO, USA and holds a CISSP (Certified Information Security Professional) certification in good standing. Willi lives in NW Arkansas with his family. He’s an avid outdoorsman, cyclist, woodworker, and veteran.

Subscribe to Industry Today