Building a Strong OT Cybersecurity Foundation: First Ask the Right Questions
Since the start of the COVID-19 pandemic, the pace of digital transformation has accelerated tremendously. Meanwhile, companies have also become increasingly aware that the next leaders in this new digital arena will be those who control and manage their onsite Operational Technology (OT) data. Thus, companies that want to stay ahead in the game first need to achieve successful collaboration between their Information Technology (IT) and OT departments to gain better control of their OT data. Inevitably, IT/OT integration has become one of the key indicators of a company's potential future growth. However, despite its importance, IT/OT integration remains inconceivable to many companies due to one main obstacle: cybersecurity.
According to a survey by International Data Information (IDC), companies tread very lightly around IT/OT integration because they are wary about its impact on cybersecurity.
For starters, talking about the importance of cybersecurity may sound by now like a broken record. However, upon further inspection, one realizes that while cybersecurity has been prioritized by IT, the same cannot be said of OT. In recent years, industrial digital transformation (Industrial DX) has pushed OT out of their small ponds of individual intranets into the wider ocean of the Internet. With the abundance of threats lurking behind Internet connections, cybersecurity has suddenly become a matter of urgency in the OT world—one that needs to be resolved as soon as possible. Nevertheless, to safely navigate through this sea of predators, Moxa has identified the fundamental issues you need to address when strengthening your control systems for cybersecurity purposes. In this article, we address these issues through three Frequently Asked Questions (FAQ) that we pit against counter-questions, which we like to call a Question Behind the Question (QBQ), to help you bolster your cybersecurity strategy.
FAQ 1 vs. QBQ 1
"Who’s responsible for this cybersecurity project?" vs. "Where is the weakest link in my cybersecurity strategy?"
From an organizational standpoint, it is easy to get distracted by the question of who should take charge of a project that now falls under OT but involves a traditionally IT-centric task. While OT staff may argue that they do not have the proper training and experience to deal with cybersecurity, IT staff may argue along the same line that their inexperience with OT equipment may affect overall operation. In this case, both have a point since neither departments have full knowledge of both cybersecurity and OT operations, hence the dilemma. Trying to delineate responsibility by experience alone seems like a dead end. Thus, we advise clients to employ the “locate the issue first” approach instead. So rather than asking “who has the experience to be responsible?”, the conversation now starts with a risk and vulnerability assessment. This assessment identifies potential risks from an objective viewpoint, such as unlisted or high-risk OT equipment, outdated software or services, management loopholes posed by human errors, etc. These objective evaluations are a good starting point to set a clear list of goals for both OT and IT departments to better collaborate and resolve the problems at hand.
FAQ 2 vs. QBQ 2
"What is the return on Investment (ROI)?" vs. "What is the Cost of Inaction (COI)?"
In OT, ROI is the key indicator when considering an investment in new equipment. However, if ROI is used to measure the cost and benefits of cybersecurity, the outcome (i.e., investment from higher-ups) is often disappointing. This is due to the nature of cybersecurity. Its main concern is to reduce risk, so it should not be measured as a growth-centric “investment.” Hence, the real question should be: "If we don't do it now, what is the worst that can happen?", also known as COI. The risk of inaction when it comes to cybersecurity is often much larger than foreseen. Therefore, COI can help businesses evaluate the impact of potential cybersecurity risks from a more practical perspective and, furthermore, speed up the decision-making process regarding a project through prioritization.
FAQ 3 vs. QBQ 3
"What is the safest solution?" vs. "What is the most suitable solution?"
After dealing with the abovementioned questions, which not only identify and prioritize cybersecurity vulnerabilities, you will have to evaluate your plan, process, system, or tools. As most of the existing cybersecurity methods, tools, or services are designed from an IT perspective, they may not be necessarily suitable for OT implementation. For example, a customer of ours in Southeast Asia has received suggestions from its IT department to enable a screen protection lock function on both computers and onsite human-machine interfaces (HMI) to prevent equipment from being hacked. However, while this is a suitable solution for IT environments, it does not consider the need for a machine to immediately respond to anomalies in an OT environment. For example, if an abnormality occurs at a site, the response time to regain control of the system may need to be within milliseconds or it could cause huge losses. If too much time is spent waiting for the operator to enter the correct password, the delay could have colossal financial or life consequences. Therefore, when choosing a cybersecurity solution, it is not the most expensive or the most acknowledged solution that is the best. Choosing the right solution for your specific needs is what counts.
Cybersecurity is not only a technical issue, but a business one as well. As evidenced by the numerous cybersecurity attacks in the industrial environment lately, it’s not hard to see why cybersecurity is a prime concern for many business owners. By transforming the regular FAQs to QBQs, a stronger foundation can be built to establish the right cybersecurity strategy for you.