Protecting converged IT/OT environments from cyber threats

With the rise of digitized manufacturing and industrial internet of things (IIoT), the attack surface has expanded, converging the worlds of IT and operational technology (OT), while introducing new attack vectors that have allowed cyber threats to grow at alarming rates. CISA recently warned about vulnerabilities in motion sensors in robotic controllers, commonly used in the critical manufacturing and healthcare sectors, and issued an advisory warning of rising threats to OT and control systems as OT assets become internet accessible. In recent years we’ve seen a number of similar attacks, including the EKANS ransomware earlier this year that was designed to target industrial control systems. Despite the constant warnings and evidence of ongoing attacks, security teams often face challenges in aligning leadership to confront the issue of cyber risk.

The reality is that cyberattacks such as those designed to steal IP, disable networks or sabotage equipment can have serious consequences on critical infrastructure and essential services for entire countries. The pandemic has underscored this threat as the heightened reliance on essential services continues to pique cybercriminals’ interests. In fact, a recent study conducted by Forrester Consulting on behalf of Tenable found that, over the past year, 65% of organizations in the U.S. suffered business-impacting cyberattacks or compromises that involved OT systems. For these environments, bolting on a security solution alone is only fighting half of the battle. Organizations need to integrate security into the business strategy and ensure close coordination between security leaders and business executives — particularly in industrial environments that often rely on 24/7 operations.

Source: Getty Images

Global security

But, in most organizations, this isn’t happening. The study, which surveyed over 800 global security and business executives in a variety of sectors, found that 75% of business and security leaders say their COVID-19 response strategies are, at best, only ‘somewhat’ aligned. The good news is there are some concrete steps organizations can take to align leadership to take action and reduce cyber risk.

Align cyber strategies to business objectives

Just 54% of security leaders and 42% of business executives say their cybersecurity strategies are completely or closely aligned with business goals. At its core, this is due to inconsistent communication among leadership, spurring a split in priorities and strategies. According to the study, fewer than half of security leaders consult business executives all the time or very frequently when developing their cybersecurity strategies. On the flip side, four out of ten business executives rarely — if ever — consult with security leaders when developing their organizations’ business strategies.

The first step to correcting this is to begin a regular cadence of communication with business leadership to understand priorities and establish a coordinated strategy. In converged industrial environments, this will initially require both OT and IT security personnel to align on approaches. Historically, IT and OT security teams held different priorities, with OT staff typically focused on stability, safety and reliability, and IT staff concerned about data, integrity, availability and confidentiality. Now that OT has been brought online, it has converged with IT, and IIoT devices have introduced even more interconnectivity, widening the playground for a cybercriminal in an attack scenario. With IT/OT security teams on the same page, they are better poised to both strengthen communication with business leaders as well as address today’s threats as a unified front.

Position cyber risk as business risk

A cyberattack can have devastating effects on business continuity, but these risks are often lost in translation when communicating with business leaders. In fact, fewer than half of security leaders are framing the impact of cybersecurity threats within the context of a specific business risk. In order to drive effective communication, security leaders must speak the language of business risk.

To accomplish this, security leaders must be armed with business metrics that speak to how cyber risk can directly impact a business’ value proposition. They should work to identify the potential cost of a business-impacting cyberattack to the organization’s critical OT assets and express how this can affect revenue over time. From there, they can illustrate how an attack on a business-critical device, such as a robot controller on a production line, can directly affect the efficacy of the organization’s ability to deliver on its value proposition for customers. Lastly, security leaders should show how other industrial organizations have been impacted, both monetarily and reputationally, and present recommendations for investments and processes their own organization can implement to strengthen security posture.

Focus on risk-based security

Once a mutual understanding and strategy is established among leadership, security leaders can demonstrate their alignment with business objectives by providing regular, risk-based insights into the organization’s security posture.

Most of the time, a long-winded explanation of what the security team has done to remediate each and every vulnerability is neither realistic nor effective to resonate with business leadership. To fully communicate the true value-add that cybersecurity programs bring, security leaders should explain how their teams are assessing and reducing risk to the business’ most critical assets. For example, communicating the risk posed if a business-critical asset were to be taken offline due to a known vulnerability compared to the resource investment of remediating the vulnerability. These business-aligned security metrics effectively communicate cybersecurity’s role in overall business risk.

The study notes that business-aligned security leaders are eight times more likely to be highly confident in their ability to report on their organizations’ level of security or risk. Plus, 85% percent of them have metrics to track cybersecurity ROI and impact on business performance versus just twenty-five percent of their siloed peers.

Taking a risk-based, business-aligned approach to cybersecurity can help industrial organizations evolve from ‘check-the-box’ operations to a fortified, strategic cybersecurity program. With most industrial organizations operating mission-critical systems, there isn’t room for poor security posture. The global economy relies on critical infrastructure; locking arms between business and security leadership to proactively address high-risk vulnerabilities can mean saving lives. With the right combination of technology, people and processes, industrial organizations can continue 24/7 operations with enhanced confidence in their ability to face the cyber threats of tomorrow.