June 26, 2023 Securing Operational Technology (OT)

Building cyber resilience in operational technology.

By Willi Nelson, field CISO for OT, Fortinet

As organizations fast-track IT/OT network convergence, leaders are using the data gathered by physical equipment and Industrial Internet of Things (IIoT) devices to pinpoint problems and boost efficiency. Though this convergence brings many benefits – like faster deployment times, greater cost savings, improved performance, and fewer compartmentalized IT and OT departments – security remains a primary concern.

Malicious actors continue to target OT and critical infrastructure. The 2023 State of Operational Technology and Cybersecurity Report found that 75% of OT organizations reported at least one intrusion in the past year, with intrusions from malware and phishing being the most common.

Now that IT/OT environments are rapidly converging, cyberthreats that are always changing and evolving can attack OT environments that used to be air-gapped and prevent many organizations from taking fully advantage of this integration. As a result, OT professionals all over the world value cybersecurity more than ever.

Yet the challenges of securing this “hybrid” environment persist. Leaders need to ensure their organization’s comprehensive security strategy fully addresses OT.

Building resilience for the future: Three steps

One of the major challenges that persists is the explosive growth in connected devices. The fact that almost 80% of respondents said they have more than 100 IP-enabled OT devices in their OT environment shows how difficult it is for security teams to keep up with the evolving threat landscape. Another issue is legacy technology. The majority (74%) of organizations report that their ICS systems are 6 to 10 years old. 

Gaining visibility is key – for both IT and OT security, because you can’t defend what you can’t see.  For instance, with a conventional IT infrastructure, there are servers, switches and other components, but you can’t see what’s going on behind them. Therefore, the first step is to gain this visibility and create an accurate OT asset inventory.

Segmentation is the next step. You must set up segments that make sense in terms of security. This will limit an attacker’s ability to move laterally. You prevent individuals with access to one lab from gaining access to all of the labs or individuals with access to one pump from gaining access to all of the pumps.

The third step is to safeguard access to everything. For instance, to ensure that switching between two pieces of equipment happens in accordance with your policies, you must take the traffic up to a firewall. OT traffic must be encrypted because too much of it is still insufficiently protected; until recently, these assets were physically separated from IT (air-gapped).

These three components can go a long way in helping organizations get a better handle on OT security.

The human element

While technology is obviously an important part of the cybersecurity equation, it’s also about people. One encouraging trend is that OT security is being taken more seriously, and more organizations have now moved OT security under the jurisdiction of the CISO as opposed to leaving it to an operations executive or team.

It may be more difficult to establish policies and enforce them uniformly throughout the converged IT/OT landscape as a result of the proliferation of cybersecurity point products and solutions. OT personnel now appear to have a more accurate appraisal of the OT cybersecurity defenses within their organization. The data also reveals that OT security experts are coming from the IT team rather than those with prior experience in product management. The C-level and traditional security leaders are therefore becoming more involved in and committed to cybersecurity decision-making, as the survey data suggests.

But it’s not just about leaders; cyber hygiene for all must always be a third part of the equation. Because the cybersecurity battle will necessitate the communal empowerment of all workers with the information and awareness to cooperate in protecting themselves and their organization’s data, cybersecurity training is still essential. OT organizations should think about offering non-technical training to everyone who uses a computer or mobile device, including remote workers and even their families.

Safeguarding OT and everything it touches

As organizations embrace the convergence of IT and OT networks, securing the OT side has come into sharper focus. The increasing number of cyberthreats targeting OT environments highlights the urgent need for enhanced cybersecurity measures.

There is still room for improvement, particularly in dealing with the challenges posed by connected devices and legacy technology. But the overall cybersecurity posture of OT organizations has improved; the proportion of organizations that did not experience a cybersecurity breach increased significantly year over year (from 6% in 2022 to 25% in 2023). And the fact that OT is increasingly being moved under the jurisdiction of CISOs is another encouraging trend. Defending converged environments is possible, and OT leaders who follow best-in-class recommendations will fortify their organizations’ defenses and protect valuable data.

Willi Nelson joined Fortinet as the CISO for Operational Technology in August 2022. He brings more than 25 years of experience in information security working across industry verticals such as healthcare, telecom, financials, manufacturing, and life Sciences.  

Most recently with GlaxoSmithKline (GSK), he established and directed the Global OT Infrastructure Security team charged with monitoring and protecting the OT assets for GSK. Globally, the team deployed 43 additional controls across the OT landscape assessed against NIST CSF and aligned business units to embrace a unified model for security, incident response, and risk reporting. During Willi’s tenure, he also oversaw the creation of the Security Organization and the Global Cyber Defense team for GSK’s Consumer Health startup (now called Haleon). Beyond building and leading the OT and Consumer Health security teams, he led the security team responsible for Cloud transformation for both IT and OT. Willi relies on a pragmatic and systematic approach to achieve company goals while also maturing the organizations and teams he leads.  

Willi is a graduate of Rockhurst University in Kansas City, MO, USA and holds a CISSP (Certified Information Security Professional) certification in good standing. Willi lives in NW Arkansas with his family. He’s an avid outdoorsman, cyclist, woodworker, and veteran.

Subscribe to Industry Today