January 23, 2024 Cyber Regulation Roadmap: Navigating OT Security

How manufacturers can prepare their OT environments for cybersecurity regulations.

By Mark Cristiano, global commercial director of cybersecurity services at Rockwell Automation

In the last three years, the number of operational technology (OT) and industrial control system (ICS) cybersecurity incidents has exceeded the total number reported between 1991-2000.

The recent spike in cyberattacks against manufacturing plants and critical infrastructure, such as energy grids, transportation, and water treatment facilities, show the urgent need for organizations to implement more sophisticated cybersecurity strategies. If malicious actors gain access to OT systems and are able to manipulate physical devices, the impact can be detrimental, disrupting operations for critical infrastructure and posing safety risks for both workers and the public.  

Rising threats and major national security incidents, like the Colonial Pipeline attack, spurred an increased focus on securing public infrastructure, with the Biden Administration announcing the National Security Strategy in 2022. The strategy calls for critical infrastructure owners and operators to meet more rigorous security standards and also places liability on software companies for data breaches caused by vulnerabilities in their software.

The push for more robust cybersecurity disclosures continues as cyber threats become more sophisticated and pervasive. The SEC ruled that starting in December 2023, public companies must disclose any cybersecurity breaches within four days and provide more specific details in the disclosures than previous regulations required. The ruling aims to increase transparency in businesses’ cybersecurity practices and better inform consumers and investors.

With the SEC ruling’s roll out in December, organizations must be vigilant in monitoring and responding to security incidents quickly. It’s also critical for security teams to understand the convergence between OT and IT environments.

In this article, we will walk through best practices to help secure OT systems and follow federal compliance standards. Organizations must conduct regular risk assessments, implement a cybersecurity incident response plan, and establish a process for disclosing incidents to investors and regulators in the event it does occur.

1. Assessing Cybersecurity Risks for OT vs. IT

As manufacturing companies digitize operations and deploy cloud software to connect various systems across the enterprise—specifically, across IT and OT networks—it creates entry points for cyberattacks that can spread and impact production. 

Cyberattacks against manufacturers and vital infrastructure can include malware attacks, advanced persistent threats (APTs), insider risks and ransomware. Some common risks for OT systems that can provide entry to malicious actors include: unclear ownership of OT security, inadequate protection from IT security solutions, and the absence of security features and passwords.

IT security practices are often robust, but the security of OT networks and systems is frequently overlooked because it’s often seen as less complex and less vulnerable to attacks. However, with OT systems increasingly connected to IT systems, the attack surface is greater than ever, making OT more vulnerable to cyber threats. Compromised OT systems are highly costly and disruptive because it is the technology powering public infrastructure, utilities or manufacturing operations.  

While IT teams focus on data security, network infrastructure and application vulnerabilities, OT teams typically prioritize the availability, reliability and safety of operational systems. This divergence in priorities may cause cybersecurity risks associated with IT/OT convergence to be deprioritized or overlooked.

Businesses are responsible for managing the cybersecurity risks of the systems that they use and the products they output. To fully understand the threats to enterprise networks, organizations must first identify, map and verify everything connected to it. This includes analyzing code, taking inventory of the software used, evaluating the security of software packages, and monitoring vulnerabilities to patch.  

It’s important for organizations to adopt a standardized risk management framework, such as NIST, for example, to comprehensively address the distinctive vulnerabilities inherent to OT systems. The NIST Cybersecurity Framework from the National Institute of Standards and Technology at the U.S. Department of Commerce helps businesses better understand, manage and reduce cybersecurity risk to help protect their networks and data.

2. Building a Cybersecurity Response Program

Organizations must implement robust cybersecurity programs that incorporate the latest threat intelligence, best practices and technology. This requires building a strong governance system, clearly defining the teams’ roles, and creating a dedicated Security Operations Center (SOC) that operates around the clock to monitor, prevent, detect and respond to attacks. Establishing an OT SOC led by seasoned security experts allows organizations to benefit from a collective pool of talent, advanced technology and invaluable firsthand experience. Additionally, fostering a culture of cybersecurity awareness through ongoing employee training empowers staff to actively contribute to the defense against complex cyber threats.

An integrated cybersecurity approach for OT systems requires close teamwork between IT and OT teams. This helps the security team gain full visibility into an organization’s technology infrastructure and potential weaknesses to proactively reduce risk. With collaboration between OT and IT teams, organizations can secure important assets, maintain smooth operations and defend against cyber threats more effectively.

An essential aspect of a cybersecurity program is establishing stringent access controls with a Zero Trust approach and establishing “walls” between systems with micro-segmentation. This includes deploying measures such as multi-factor authentication (MFA) and data security protocols to safeguard crucial information.

Lastly, a cybersecurity program must include advanced detection and response to provide continuous monitoring across all network endpoints to any malicious activity in real time. Rapid threat detection is crucial to thwart hackers and help protect critical infrastructure and industrial environments.

3. Compliance and Reporting

In the event of security incidents, a well-structured incident response plan, including efficient backup and recovery services, helps minimize downtime and restore operations quickly. Incident underreporting has frequently led to inaccurate risk awareness, and delays in reporting can double or triple the length of time needed to act in implementing the right protections. Federal agencies are now holding public and private entities accountable to disclose incidents, data theft and ransom payments. Compliance with the SEC ruling will require coordination across companies’ security, finance, risk and legal teams and bringing in key business leaders at the right time.

The annual fines for cybersecurity regulation in the U.S. can vary based on the specific rules and the severity of the violation. Since 2019, major companies have paid regulators an estimate of $4.4 billion in fines, penalties and settlements due to cybersecurity incidents, showing the severity of security compliance infractions.

Modeling these federal guidelines, companies of all sizes and industries can enhance their cybersecurity practices and contribute to a safer digital environment. With these proactive steps, organizations can mitigate the potential impact of cyber threats and improve the security and resilience of their OT systems.

Mark Cristiano has 30 years of experience in IT with 15 years of enterprise and manufacturing systems leadership. He currently leads the Global Commercial Strategy for Cybersecurity Services at Rockwell Automation.

Subscribe to Industry Today