John Salvino
John Salvino Bq G Bb Lq Yfc Unsplash

Can OT Learn From IT?

May 15, 2020
Successful security strategies often draw from best practices -- even if those best practices come from entirely different worlds.

As operational technology has transformed into connected technology, manufacturers are entering a new realm of risk. After all, most production equipment was never prepared to address expansive, external attacks. The reality is protecting converged environment is challenging. And, getting it right will require commitment, rigor and discipline to develop the robust cyber security programs necessary.

Fundamentally, manufacturers need to have a security program focused on the OT environment, explains Sean Peasley, Deloitte risk and financial advisory partner IoT security leader. “It might be something that's an extension of their enterprise security or something that's distinct and separate, but there are things OT can learn from what IT has done within the enterprise,” he says. “IT has pretty good discipline around processes and technologies as well as testing technologies to make sure that they're utilized in an appropriate manner.”

Of course, in applying some of the practices IT security professionals have refined over the past few decades, manufacturers need to avoid upsetting operational environments. “For instance, security deployments cannot impact high availability. They also need to take into consideration the unique, often proprietary, protocols and technologies before applying security measures,” he says. “When bringing ideas together, manufacturers need to understand the key objectives of each of the different phases to ensure a safe, trusted and secure environment.” 
  • Prioritization. The principals behind many of the security maturity models can help determine what to prioritize. The key is to understand how each component impacts the environment and its risk level to the organization. The goal should be to tackle higher risk, lower hanging fruit and adjusting coverage over time. Continuing with that process, and focusing on risk reduction over time, results in progressive and principled protection.
  • Visibility. Do you have visibility into what's happening in those operational environments? Are you able to effectively monitor for cyber events that could be exposing information about organizational assets? How does the company adjust and remediate in operational environments while keeping factories up and running? How do you align security with production maintenance schedules?
  • Posture. It's a good opportunity for companies to improve their overall security posture aligning it to other programs that they might already have to be talking about companies leveraging things like maybe their safety programs. Manufacturers need to leverage some of those programs from a governance and training standpoint and embed them into the culture of the organization. As companies roll out these programs, it would be wise to be thoughtful about how to leverage something that's already part of the office culture of an organization.

Eye on the Future

The introduction of new technology is constantly impacting operational environments, often expanding the threat landscape. 5G is a prime example. As 5G wireless becomes a new reality on plant floors, it will quickly surface as a huge opportunity with new advantages for IoT and connected environments. There are some elements of security built into 5G, it will introduce new risks as well. How do manufacturers evaluate and address those risks?

Likewise, edge computing capabilities continue to expand. "Edge capabilities will play a role in determining how much information to communicate via the ecosystem into the cloud and back into the operational environment," says Peasley. "By computing at the edge manufactures can save taking the potential risk of somebody intercepting valuable information."

Bottom line, manufacturers need to remember that adversaries are very creative, patient and often well-funded, so they may take advantage of those situations where companies are deploying newer technologies, explains Peasley. It's time for security awareness in the plant," he says “Awareness will help manufacturers develop a risk management plan including robust cyber security controls and processes to ensure protected environments,” 

Sponsored Recommendations

Voice your opinion!

To join the conversation, and become an exclusive member of IndustryWeek, create an account today!