Download the latest OT/IoT Security Report from Nozomi Networks Labs
Download Report
Recent regulatory changes mean that CISOs are now expected to assume liability along with responsibility for enterprise cybersecurity risk. For industrial organizations, that encompasses risk from OT devices and networks. With the lines between IT, IoT and OT networks blurrier than ever, comprehensive oversight of risk is long overdue. The shift to an enterprise approach to risk is positive, but it raises questions about who should own the purchasing, deployment and maintenance of cybersecurity solutions for unfamiliar (to IT departments) cyber-physical environments. And at this stage in the shift, the answers aren’t clear.
The IEC62443 Part 2-1 standard outline the requirements for establishing a cybersecurity management system for industrial automation and control systems.The guidance is indispensable, but it’s still up to each organization to identify the right people to implement it. For example, cybersecurity policies for OT engineers, technicians, process operators and control room operators often don’t exist. Who will write the policies, and who will train the affected Individuals? Likewise, who’ll create incident response plans, as typically they can be quite different in OT because of physical safety consequences?
CISOs may own enterprise risk, but they usually know enough about OT security to know it’s outside of their wheelhouse. Because they have broad influence over both technical and business decisions, they’re best suited to be executive sponsors for the project. That includes providing strategic direction, securing needed resources, managing escalations and communicating progress to executives and the board. Most importantly, they must recruit the right people to evaluate OT security solutions, deploy them and provide ongoing oversight.
The ideal OT security team includes plant managers, engineers and operators who understand industrial control systems inside and out, even if they might be unsure or skeptical of cybersecurity. On the cyber side, you’ll want to recruit security and network managers, analysts and administrators, even if several of them may have never set foot on the plant floor. For companies subject to cybersecurity regulations, you’ll want to include a compliance expert to ensure the solutions you install cover key requirements, including reporting.
If any of these roles is missing, you may still make an informed purchasing decision, but internal challenges will likely surface down the road and cause delays. For example, if no one from the networking team is at the table, when you try to implement SPAN traffic monitoring, they may need additional persuasion or might have a different idea altogether that forces you to go back to the drawing board. If key OT stakeholders aren’t invited to weigh in on the technology purchasing decision, you are likely to face delays or be prevented from installing it altogether.
Among these team members you must identify the right leader to oversee day-to-day projects. Introducing OT security onto the shop floor means introducing very different behavior. There will be new policies, configurations and controls, such as tighter access management, that change how operators do their everyday jobs. Many of these changes won’t be popular. Can this person champion the changes as not only necessary but also in everyone’s best interest? As executive sponsor the CISO will also lead this charge, but you want a trusted peer answering detailed questions and winning over naysayers. By the time the security vendor or system integrator shows up, you want educated employees who know what to expect and are ready.
Post-implementation requires even more cross-functional cooperation. To enable enterprise risk management, data from your OT environment must be fed into your security information event management system(SIEM) or otherwise integrated with your existing IT security platform so the security operations center (SOC) or managed security services provider (MSSP)can identify issues. It’s critical for OT experts (ideally OT security experts) to keep educating these groups about the sensitivity of OT networks and why remediation efforts must involve personnel who are knowledgeable about your industrial processes and network.
In short, dozens of people across the organization must jointly own OT cybersecurity for your program to succeed. Nozomi Networks has deployed OT security solutions into thousands of environments across every industrial and critical infrastructure sector. We’ve seen projects run smoothly, and we’ve seen them get stalled at every step. Aspart of every implementation kick-off, we review common OT-IT cultural challenges and offer ways to overcome them that we know work.
Recent regulatory changes mean that CISOs are now expected to assume liability along with responsibility for enterprise cybersecurity risk. For industrial organizations, that encompasses risk from OT devices and networks. With the lines between IT, IoT and OT networks blurrier than ever, comprehensive oversight of risk is long overdue. The shift to an enterprise approach to risk is positive, but it raises questions about who should own the purchasing, deployment and maintenance of cybersecurity solutions for unfamiliar (to IT departments) cyber-physical environments. And at this stage in the shift, the answers aren’t clear.
The IEC62443 Part 2-1 standard outline the requirements for establishing a cybersecurity management system for industrial automation and control systems.The guidance is indispensable, but it’s still up to each organization to identify the right people to implement it. For example, cybersecurity policies for OT engineers, technicians, process operators and control room operators often don’t exist. Who will write the policies, and who will train the affected Individuals? Likewise, who’ll create incident response plans, as typically they can be quite different in OT because of physical safety consequences?
CISOs may own enterprise risk, but they usually know enough about OT security to know it’s outside of their wheelhouse. Because they have broad influence over both technical and business decisions, they’re best suited to be executive sponsors for the project. That includes providing strategic direction, securing needed resources, managing escalations and communicating progress to executives and the board. Most importantly, they must recruit the right people to evaluate OT security solutions, deploy them and provide ongoing oversight.
The ideal OT security team includes plant managers, engineers and operators who understand industrial control systems inside and out, even if they might be unsure or skeptical of cybersecurity. On the cyber side, you’ll want to recruit security and network managers, analysts and administrators, even if several of them may have never set foot on the plant floor. For companies subject to cybersecurity regulations, you’ll want to include a compliance expert to ensure the solutions you install cover key requirements, including reporting.
If any of these roles is missing, you may still make an informed purchasing decision, but internal challenges will likely surface down the road and cause delays. For example, if no one from the networking team is at the table, when you try to implement SPAN traffic monitoring, they may need additional persuasion or might have a different idea altogether that forces you to go back to the drawing board. If key OT stakeholders aren’t invited to weigh in on the technology purchasing decision, you are likely to face delays or be prevented from installing it altogether.
Among these team members you must identify the right leader to oversee day-to-day projects. Introducing OT security onto the shop floor means introducing very different behavior. There will be new policies, configurations and controls, such as tighter access management, that change how operators do their everyday jobs. Many of these changes won’t be popular. Can this person champion the changes as not only necessary but also in everyone’s best interest? As executive sponsor the CISO will also lead this charge, but you want a trusted peer answering detailed questions and winning over naysayers. By the time the security vendor or system integrator shows up, you want educated employees who know what to expect and are ready.
Post-implementation requires even more cross-functional cooperation. To enable enterprise risk management, data from your OT environment must be fed into your security information event management system(SIEM) or otherwise integrated with your existing IT security platform so the security operations center (SOC) or managed security services provider (MSSP)can identify issues. It’s critical for OT experts (ideally OT security experts) to keep educating these groups about the sensitivity of OT networks and why remediation efforts must involve personnel who are knowledgeable about your industrial processes and network.
In short, dozens of people across the organization must jointly own OT cybersecurity for your program to succeed. Nozomi Networks has deployed OT security solutions into thousands of environments across every industrial and critical infrastructure sector. We’ve seen projects run smoothly, and we’ve seen them get stalled at every step. Aspart of every implementation kick-off, we review common OT-IT cultural challenges and offer ways to overcome them that we know work.
