Companies may have underestimated un aspect of cybersecurity: While focus on protecting IT (information technology) systems, OT (operational technology) systems may have been left with inadequate defenses to react to cyber threats. And, in fact, cybercriminals are increasingly targeting production systems, knowing that security levels are low.
“Companies around the world are investing heavily in IT security, but many have yet to understand this priority must be given to OT safety”, we read in a note from Analysys Mason. “Production systems are often the most critical assets in a company and a disruption could lead to consequences that threaten the existence of the company itself. While IT systems can be restored or replaced relatively quickly, assuming proper management is in place business continuityproduction systems are often unique and, depending on the extent of the damage, recovery can be a much more onerous process”.
How to remedy this gap between IT security and OT security? With technical and organizational measures supported by governance.
IoT and cloud increase the need for OT security
OT security has been neglected for a specific reason: in the past these systems were not connected to the external network. Pervasive connectivity, the cloud, the internet of things and the industrial internet of things have profoundly changed the scenario. Putting OT systems online makes them a potential target for hackers.
What can you ask ChatGPT? Download the 2023 guide: tips for use, examples and opinions
“IT and OT are no longer areas that operate separately from each other, as often happened in the past,” the analysts write. “There are no longer simple or individual touchpoints in modern enterprise architecture. For example, IT-managed corporate internet access is used for IoT and cloud applications, which are increasingly used in manufacturing and are creating new gateways to access OT systems.”
Companies must also keep in mind the need for regulatory compliance: in the EU the Nis 2 Directive and the Cyber resilience act impose new requirements for critical infrastructure protection and supply chain security.
It and Ot must dialogue
Security projects are usually implemented and governed from the department’s perspective It, where the priority is confidentiality and integrity. On the contrary, for OT reliability and availability come first, together with safety – that is, the protection of people and the environment. For this reason, systems in OT environments often do not fit the traditional approach to IT security, as the strategies, concepts and processes do not apply in the same way, and Analysys Mason recommends a differentiated approach to ensure the right cybersecurity measures are in placealso considering that many OT devices have, from this point of view, unique requirements.
For example, While patching vulnerabilities and regularly updating systems are effective security measures in IT, this is often not possible and sometimes not advisable in OT due to the requirement of continuous 24/7 operation.
Furthermore, OT systems often face a lack of test systems. Because of this, the effects of regular patches and updates are unpredictable and can potentially cause problems. Whether an update should be done or not is then a question of necessity and feasibility and must be determined in close collaboration between IT and OT.
Security governance
There are, obviously, security solutions dedicated to OT. But, even without the introduction of such solutions, companies can increase the security level of their production environments by implementing basic technical and organizational measuressuch as asset management, network segmentation, securing remote access, establishing incident response processes and staff training.
To effectively implement these measures it is necessary an OT department responsible for the operation of OT resources and developing OT governance, that is, act as a central authority to develop sustainable and workable security concepts together with IT. Indeed, OT should be included in all relevant projects within the IT department and the two functions should support each other with an exchange of expertise.
This virtuous circle is based on the existence and effectiveness of the underlying processes, which in turn requires a change of mentality: the key, and often the most difficult, element to implement in any digital transformation project.
@ALL RIGHTS RESERVED