The convergence of information technology (IT) and operations technology (OT) marks a major driver of OT risks. More devices within OT systems and industrial controls systems (ICS) are being connected to IT systems and networks. While this convergence drives significant efficiency improvements, greater business agility and data analytics advances, it also exposes OT environments to more cyber-attacks, including ransomware and other damaging digital intrusions. These threats, which can lead to major supply chain comprises and staggering revenue losses, can be spread by third party products, integrators and service providers.
The most formidable impediment to managing internal and third-party OT risks currently boils down to a lack of awareness and understanding. This is understandable, given the significant differences between information technology (and cybersecurity) and operational technology, notes Santa Fe Group Vice President of Research Mike Jordan, who monitors trends in supply chain risk management and comes from a manufacturing industry and cybersecurity background.
“The three biggest challenges related to managing OT risks,” Jordan notes, “are, one, the people who understand cybersecurity often do not understand OT systems; two, the people who understand OT systems typically don’t understand cybersecurity; and three, the people who are assessing and auditing OT systems sometimes do not have a sufficient understanding of either.”
The Shared Assessments Operational Technology Risk Management Working Group as formed to fill these knowledge gaps by:
- Identifying and disseminating the challenges that organizations face in managing OT risks;
- Developing methods and tools for standardizing OT due diligence activities; and
- Designing and improving a range of best practices to address OT risk management challenges.
Some of the most critical challenges that the working group is tackling include:
- Assessing compliance with standards, regulations and frameworks (such as NERC CIP, NIST SP 800-82 and CPNI SICS);
- Managing the convergence, and divergence, of OT and IT;
- Identifying and addressing supply chain cybersecurity risks;
- Securing industrial digital twin and Internet of Things (IoT) technologies; and
- Assessing co-manufacturers.
The Working Group’s members hail from companies in most manufacturing sub-sectors, utility companies, energy companies, telecoms, mining and a range of ICS manufacturers, security companies and service providers.
One of the best ways to get started on OT risk management improvements is by developing a clear understanding of important differences between OT and IT.
IT refers to the applications and networks that store, analyze and deliver data that a generation or two ago existed on paper, in filing cabinets, and on calculators. OT consists of physical devices and systems — all those machines with switches, gears, belts and knobs that work together to physically change and/or monitor a wide range of manufacturing and logistics environments. IT work is conducted by technologists and business system analysts while OT work usually is conducted by engineers. This work — and, especially how it is protected — represents one of the biggest differences between IT and OT as well as a primary source of the cultural divide between OT engineers and IT professionals. The priorities between these groups are sometimes at odds.
“When it comes to securing IT assets,” Jordan notes, “The ‘CIA triad’ governs how IT security policies should work — confidentiality, integrity and availability, often in that order of priority.” Confidentiality means making sure that individuals cannot see data or information that they are not supposed to see. Integrity involves ensuring that an IT asset remains in its desired state (e.g., that data is not altered or otherwise corrupted). And availability generally relates to keeping IT systems and applications up and running so that information is available as needed. While system downtime needs to be avoided, brief gaps in availability are a fact of IT security life given how often systems need to be upgraded or replaced.
When it comes to protecting OT assets, however, “you basically flip the CIA triad on its head,” Jordan continues. “It really becomes the AIC triad, and probably capital ‘A’ followed by lower-case ‘i’ and lower-case ‘c.’ Availability is by far the most important part of the equation. If your factory’s not working, you’re not making products — and you certainly aren’t making money.” The cost of downtime in OT environments has been estimated as high as $22,000 a minute. Plus, downtime can send a painful ripple effect throughout entire supply chains.
“Far more important that the cost of downtime is the fact that many of these systems have human safety risks attached to them,” Jordan says. “Food services companies rely on OT devices to check for metal content and other contaminants. Pharmaceutical manufacturing breakdowns can cause major issues. Employees can be put at risk if large pieces of machinery shatter. If the electric grid goes down, eventually life-sustaining medical devices stop functioning and so on. So, availability is paramount.”
Ensuring that availability hinges on advancing OT risk management capabilities. We’ll keep you posted here on the working group’s progress toward that goal in the months ahead.