OT needs to get back to the basics of robust, consistent cyber hygiene and skills training to get and stay ahead of the bad actors.
By Willi Nelson, field CISO for OT, Fortinet
The worldwide global security workforce would need to increase by 65%, according to isc2.org, to adequately protect enterprises’ critical assets. This shortfall is especially acute in OT, an increasing target for bad actors. According to Fortinet’s 2022 State of Operational Technology and Security Report, 93% of OT organizations experienced an intrusion in the past year; 78% of them experienced three or more intrusions,
Room for improvement
Robust OT security faces multiple challenges. Clarity about ownership of industrial cybersecurity within an organization, active involvement of employees in security processes, and a focus on building cybersecurity skills within the workforce are a few key areas businesses could focus on to strengthen their position.
Who owns industrial cybersecurity isn’t always obvious given the overlap between data security and production quality. The CIO and IT team are responsible for business apps, email, databases, and so on. That’s clear, as well as the fact that the managers of the plant oversee both production and safety. Yet everyone, regardless of title, is impacted by digital transformation. Companies must foster communication and cooperation across roles to clarify responsibilities and ensure that processes support both security and productivity.
One way to foster an ownership mentality across an organization is to raise awareness of security processes. Most of the respondents to the Smart OT Cybersecurity: From C-Suite to Strategy survey (63%) are knowledgeable about and actively involved in security processes relating to their companies’ OT activities. This number should trend toward 100% as connected efforts expand and OT and IT converge.
As for the cyber skills shortage in the OT space, people are being asked to transition from support roles to leading roles. For instance, automation engineers who may have assisted with a security incident in the past may now be expected to take the lead on overall security of the OT environment.
We still have a long way to go to bring OT into the mainstream of thought when it comes to security. However, since the release of Notpetya in 2017, boards of directors and senior leaders have begun to take notice of the cost to the business as threats continue to rise. It’s this visibility that’s now driving funding and focus on OT security beyond just compliance.
Stronger cyber hygiene and training needed
Some of the biggest security gaps are the lack of proactive threat modeling and pen testing in the OT environments to understand the vulnerabilities in a specific line, environment, and/or facility. Organizations often lack a full test environment that allows security professionals unencumbered access to a safe space to simulate attacks, learn from the experience, and apply lessons learned to the production line.
If you were to follow NIST as a framework (Identify, Protect, Detect, Respond and Recover) it is Respond – specifically iIncident rResponse – that seems to be the last aspect to mature within OT security teams. With the increase of threats to OT, it’ll be imperative that Incident Response leads the way to not only respond to active threats, but to also reach across teams to ensure the other disciplines are maturing properly.
This brings up another point to consider when building skills, and that’s to focus some energy and time on soft skills for cybersecurity teams. Security used to be the organization of NO; now it must be the organization of enablement and partnership between the business and the incident response team. It will be influence and cooperation that win the future. And, of course, getting the IT and OT teams to work together and coordinate is an essential, ongoing process.
In addition to soft skills training, upskilling the IT and OT workforce specifically on cybersecurity knowledge, skills, and best practices offers tremendous benefits to both employees and organizations.
Investment in training and certification programs directly addresses the existing skills gap. According to the survey noted above, 87% of businesses have started educating employees to be more cyber-aware. In addition, 81% of leaders prefer to hire people who have certificates, while 95% of leaders believe that having a technology-focused certification will benefit their team. And there’s more good news: 91% of respondents said they would pay for a worker to obtain cyber certifications. The fact that certifications attest to a greater level of cybersecurity knowledge and awareness is a main factor contributing to their high regard.
Getting back to basics
It’s the best and worst of times for OT: great opportunities brought on by digital transformation and convergence with IT, and great risks for those same reasons. Add the ongoing cyber skills gap, and you’ve got a recipe for potential disaster. But there’s no need to re-invent the cybersecurity wheel to improve the safety of your environment. Get back to the basics of robust, consistent cyber hygiene and skills training to get and stay ahead of the bad actors.
About the author
Willi Nelson joined Fortinet as the CISO for Operational Technology in August 2022. He brings more than 25 years of experience in information security working across industry verticals such as healthcare, telecom, financials, manufacturing, and life sciences. Most recently with GlaxoSmithKline (GSK), he established and directed the global OT infrastructure security team charged with monitoring and protecting the OT assets for GSK. Globally, the team deployed 43 additional controls across the OT landscape assessed against NIST CSF and aligned business units to embrace a unified model for security, incident response, and risk reporting. During Willi’s tenure, he also oversaw the creation of the security organization and the global cyber defense team for GSK’s consumer health startup (now called Haleon). Beyond building and leading the OT and consumer health security teams, he led the security team responsible for cloud transformation for both IT and OT. Willi relies on a pragmatic and systematic approach to achieve company goals while also maturing the organizations and teams he leads.