Tips on prioritizing cybersecurity investments for operational technology

March 19, 2024
Enhancing OT cybersecurity requires a full-stack approach that strengthens technological foundations while preserving value-driven OT operations

Cybersecurity is designed to protect modern networks and computers from cyberattacks, but much of the infrastructure for operational technology, or OT, is exposed to dangerous security gaps, often due to aging systems and equipment, deliberate focus on reliability, and lack of dedicated cybersecurity resources for OT. Ninety-six percent of business leaders have indicated the need to invest in OT cybersecurity, and 70% of those who have invested in it still face implementation challenges, according to a research report from McKinsey & Co.

Operational technology involves all the hardware and software systems that are used to monitor and control industrial equipment, assets, and processes which are capital-intensive assets. Much of that OT was built many years ago, if not decades ago, when security was not the same problem it is today. For example, communications protocols are highly encrypted and protected in IT systems, yet most OT systems lack those same safeguards. Many legacy OT tools still rely on visible messages and communications because those transparent messaging systems were not vulnerable to cyber threats when they were adopted.

Another substantial difference between IT and OT involves the fact that security-minded IT managers tightly control IT network infrastructures, but OT infrastructures are owned by the production teams who are focused on system reliability and measured on uptime. In many cases, such as in energy transmission and distribution (T&D), equipment and processes may take months or several years before a planned shutdown can be made due to operational or business restrictions. By then, it may be too late.

In addition, security operations centers and IT teams regularly manage risk by releasing new software patches and updates to protect connected devices from malware or bugs. Unfortunately for OT managers, frequent patching is nearly impossible due to uptime constraints. In addition, many industrial solutions were deployed years ago and some of those solutions are no longer supported. As a result, there is no patch to update the outdated firmware, which forces industrial manufacturers to live with ongoing vulnerabilities.

No Solutions for Some Issues

In many cases, there is no technical solution to the problem. For instance, nobody still runs the Windows 95 operating system on their home computers because Microsoft stopped supporting that version years ago. Yet many large industrial processes still use Windows 95 because their software applications only run Windows 95. That means operators cannot solve the problem without a complete rip-and-replace of their multibillion-dollar facilities, which is unfeasible.

Bad actors often use unsecured third-party connections to take over OT devices and plant ransomware as a ploy before shutting down operations and halting production when a ransom remains unpaid. In many cases, this squeezes OT decision-makers between competing business priorities for risk awareness and risk tolerance because they must choose between maintaining productivity or maintaining security.

Yet many large industrial processes still use Windows 95 because their software applications only run Windows 95. That means operators cannot solve the problem without a complete rip-and-replace of their multibillion-dollar facilities, which is unfeasible.

OT cyberattacks generally lead to more negative consequences than IT attacks too, because OT involves physical facilities that are prone to leakages, outages, shutdowns, or explosions. More than one-third of the 64 OT cyberattacks that were publicly reported in 2021 had real physical consequences with damage estimated at $140 million per incident, according to McKinsey.

All these challenges have heightened the need for OT leaders to take a risk-based operational approach to risk mitigation. The best way to do so is by offloading those risks to insurers who can hedge their losses among other policyholders. Hence a need for OT leaders to prioritize company investments in technology solutions and cyber insurance.

Seven Practical Steps to Reduce Cyber Risk in OT Environments

When industrial CISOs face investment decisions for OT cybersecurity projects, they require more than basic security assessments to rank their systems as red, yellow, or green. CISOs need business-focused strategies that can engage CFOs, investment partners, and directors about the financial and security incentives for prioritizing such investments. Here are seven practical steps on the path to improving cybersecurity in OT environments, reducing cyber risk for the entire business and building cyber resilience.

Identify the assets at riskThis first step is critical in such industries as energy, manufacturing, data center operations, and transportation because they all require highly capital-intensive equipment. Such equipment is costly to maintain, repair, and replace, yet it is also increasingly connected to the internet and exposed to changing vulnerabilities.

Identify cybersecurity weaknesses. OT companies should develop a 360-degree view of their cybersecurity gaps, from vulnerability to poor controls to a lack of employee training on basic security hygiene measures.

Quantify cyber risk: Every cybersecurity weakness represents a risk. But not all risks are created equally. Knowing which ones could potentially lead to the worst outcomes or financial losses can help shape a sound cybersecurity investment strategy. Measuring cyber risk also helps by addressing regulatory requirements and avoiding penalties for non-compliance.

Design risk mitigation strategies: Each risk should be attached to one or more mitigation strategies. By adopting multiple overlapping approaches, OT operators can build in more robust security protections. Security best practices include segmenting OT networks from other networks, and properly configuring all software settings and security solutions.

Quantify the ROI of suggested mitigation strategies. It is also important to measure how much each mitigation approach contributes to risk reduction and thus decreases the likelihood of a damaging event. A Loss Exceedance Curve (LEC) chart is a helpful tool to demonstrate the costs and benefits before and after mitigation. LEC charts show the annual frequency at which a determined economic loss will be exceeded, such as for a 1-in-100-year event.

Share Your Findings in an Executive Report

All the above findings and analyses should be consolidated into a clear financial report with specific investment recommendations for the CFO, Board and Budget Committees.

Efforts to enhance OT cybersecurity require a full-stack approach with the ability to strengthen technological foundations while preserving value-driven OT operations. These common-sense steps depend on partnerships across an organization to manage top-down operational assessments, combined with bottom-up analyses of each asset to identify direct risks at the site level. Only in this way can OT teams encourage business leadership to make the necessary investments to improve overall security while maintaining operational productivity.

Jose M. Seara is the founder and CEO of DeNexus, a leader in cyber risk quantification and management for operational technology (OT) and industrial control systems (ICS)