The practice of risk management is quite mature in modern organizations. Many, if not most, CISOs have successfully applied corporate risk-management methodology to improve IT cybersecurity in a cost-effective way.
But the new thing CISOs need to confront is what we call Connected OT. You’ll also hear terms such as IT/OT convergence, and the Industrial Internet of Things. In nearly every industrial sector, production and R&D networks are rapidly losing their traditional isolation from networks managed by IT.
The business drivers behind this shift are well-documented and very powerful. There’s no putting this genie back in the bottle. CISOs thus face the need to extend their risk management practices to cover OT. And that’s proving to be a challenge.
It’s been our observation that on the whole, CISOs and IT network managers have largely come to terms with the cultural and organizational barriers that separate them from their counterparts on the OT side. It took a few years to get here, but IT and OT people in large industrial organizations now generally recognize that they need to work together to solve a shared problem.
Now the next step is to model cyber-risk in OT-space such that it can be managed effectively with existing processes. And this is a brand-new practice area that even the most forward-looking organizations are just now starting to think about.
The Differences Between IT and OT
We have been saying for years that cyber security for IT and for OT are fundamentally different things. If you don’t take the time to understand the differences, you run the risk of losing time and money, and not getting the security your organization needs.
While there are many important differences, we are going to start by considering some basic aspects about the nature of risk management itself.
You already know that risk can be modeled as a function of threat, vulnerability, and impact:
(R = T x V x I)
You can compute risk in this way for individual capital assets and industrial processes, and then integrate across your production footprint to produce a dynamic risk score across your enterprise.
So far, so good. But how do you actually use risk methodology to actually improve security? This is where some key differences between IT and OT come into play.
You really can’t do much to manage threat, which is nearly a constant everywhere. In the risk equation above, threat (or T) basically reduces to 1.
A Focus on Vulnerability
Vulnerability is where most IT managers focus, for a very good reason: across enterprise IT, aggregate vulnerability is very high and nearly constant. Think about all those computers running standard operating systems, and all the bad guys in the world cooking up exploits against them.
On the other hand, impacts from individual cyber events in IT are actually quite low, and reasonably well managed by the well-honed security practices used nearly everywhere.
As a result, IT cybersecurity managers focus on managing vulnerability. They spend their resources making sure they apply patches, rotate passwords, and train their users not to click on links in emails. This lowers overall risk in a cost-effective way because they are attacking the largest single factor in the risk equation.
On the OT side, it’s different. Vulnerabilities in equipment such as PLCs, HMIs, and networked industrial machines are generally quite low. Unlike general-purpose computers and networks, industrial machines and networks are purpose-built and very heterogeneous. It can take a great deal of time and effort to discover vulnerabilities that only affect a narrow range of equipment types, vendors, or models.
The Impact Side of the Equation
But the impact side of the risk equation is off-the-charts-high in OT. Just a single mistimed command delivered to an industrial machine, control system, or safety-assurance system can result in widespread outages, environmental damage, and even injury or death. Even worse, the byzantine interconnectedness of complex industrial systems means that impacts can cascade catastrophically.
The bottom line is: where IT focuses on managing vulnerabilities, OT must focus on managing impacts. In terms of methodology, this means you need to keep your eye on four things:
Assume that threat is constant.
Assume that vulnerabilities in your OT system are being discovered and mapped, so monitor your networks for signs of reconnaissance.
Map out your most critical assets, and protect them with network segmentation and firewalling to contain the spread of impacts.
Continuously monitor your industrial processes so you can recognize impacts and operational problems early.