The Business of OT Cybersecurity

Understanding the Business of OT Cybersecurity

As cybersecurity threats escalate in both number and complexity, a new frontier has emerged that demands special attention – Operational Technology (OT) cybersecurity. The unique challenge of protecting industrial control systems from cyber threats has businesses around the globe rethinking their approach. In this article, we will delve into what is meant by the ‘Business of OT Cybersecurity,’ dissecting its integral components and why they matter.

When we say the ‘Business of OT Cybersecurity,’ we’re referring to much more than just costs and control. There are numerous facets to this critical subject, all deserving of in-depth exploration and understanding. This is a complex field that touches on all areas of an organization and impacts stakeholders at every level. The objective here is to provoke action-oriented thoughts about dealing with OT environments from a distinct business perspective.

OT cybersecurity is a shared responsibility. It brings together diverse stakeholders – directors, managers, HR departments, admin, and accounting groups, as well as line workers. Everyone plays a vital role in determining the level of action within OT cybersecurity. The collective expertise of these individuals is what enables informed decisions that ensure business viability, even in the face of unwanted events.

The Five Core Pillars of Business-Driven Cybersecurity

To bring structure to this broad topic, we have categorized the business objectives into five core pillars, each playing a crucial role in shaping a comprehensive, business-driven cybersecurity platform. These pillars are continuity, strategy, resiliency, finance, and culture:
Business Driven Cybersecurity
  1. Continuity – This is where the minimum expectations are set, challenged, and verified. It revolves around sustaining critical operations in the face of potential disruptions.
  2. Strategy – This is the phase where operations and actions necessary to meet the expectations are defined. Mitigation approaches are developed that meet the continuity targets, keeping the business resilient in the face of threats.
  3. Resiliency – In this context, resiliency refers to the organization’s ability to recover from and minimize the impact of an attack while maintaining safety and availability of critical facility operations.
  4. Finance – This pillar involves ensuring that the OT cybersecurity program is measured and managed in a financially responsible manner. The goal is to address all necessary points without unnecessary expense and within acceptable budget constraints while maximizing return on investment.
  5. Culture – Without a culture that embraces OT cybersecurity’s importance in critical processing or manufacturing, all other objectives are likely to fall short. This culture shift comes through training, communication, and management.
In subsequent sections, we will delve deeper into each pillar, unravelling their individual importance to the business of doing business in OT cybersecurity. By understanding these facets, businesses can build a robust, adaptive, and cost-effective OT cybersecurity strategy that not only protects but also enables operational success.

The 1st Pillar - Business Continuity for OT Cybersecurity

Let’s explore the first pillar of the ‘Business of OT Cybersecurity’ – Business Continuity. This pillar sets the tone for the balance of the business requirements when discussing cybersecurity. It answers the pivotal questions that lay the groundwork for future actions and the strategic direction of the business’s cybersecurity framework, risk appetite, and recovery objectives.

Business Continuity refers to the organization’s ability to continue its essential business operations, including its OT systems and critical infrastructure, amidst cyber threats or incidents. In essence, it’s about maintaining systems availability and control of crucial operations, even if OT systems are compromised. These strategies may encompass technical and non-technical responses, such as manual operations, additional personnel, or enhanced security protocols. Cybersecurity Business Continuity planning prompts important questions, including:

  1. What is my organization’s risk appetite?
  2. How much risk is acceptable or tolerated?
  3. What are the maximum Mean Time To Recovery (MTTR) targets?
  4. Are there other drivers (e.g., regulations, budgets, outside forces)

These questions facilitate the understanding of an organization’s risk tolerance and its ability to recover from incidents. For instance, the maximum MTTR targets will define tolerated costs and time to recover from an incident, including essential operations and return to normal.

Recognizing that all business processes and functions are vital to meeting total business needs (i.e., return to normal), not all are essential to its minimal operation. Identification of these crucial functions, processes, and systems is precisely what the business continuity plan aims to define and protect.

Additionally, external drivers like regulations, budget constraints, and outside business forces can significantly influence cybersecurity decisions. While they may not directly address cybersecurity concerns, they may impact our ability to respond unless mitigated. They must therefore be taken into consideration while developing business continuity objectives.

A well-prepared business continuity plan is an essential asset. The document envelops the impact analysis results and the strategic and resiliency components to ensure proper recovery in case of an incident. The time to consider what to address, the depth of recovery efforts, the tolerance for risk, and many other factors is before an event requires it. Proactivity triumphs every time, as decisions made in haste can prove costly and may overlook key requirements.

A robust business continuity plan should minimally include:

  1. Results of the business impact analysis.
  2. A high-level risk assessment identifying major threats and vulnerabilities.
  3. Risk mitigation strategies.
  4. Incident response with references to detailed plans as necessary.
  5. The continuity plan itself to maintain critical business processes and systems in the event of a cybersecurity incident. This includes approaches for backup, recovery, resource expectations, and plans to resume normal operation beyond critical recovery.
Business continuity also implies that the determined approaches are tested and that resources are trained in their expectations and processes. It is a proactive approach that saves not only time and money but also the organization’s reputation and future.

The 2nd Pillar - Strategy in OT Cybersecurity

When we talk about strategy, it’s tempting to dive straight into the technical details. However, in the context of planning your OT cybersecurity approach, the term “strategy” leans more towards alignment with broader business objectives rather than technical specifics.

A business -level strategic approach to OT cybersecurity involves identifying and assessing the risks to an organization’s OT systems, developing a risk management strategy, and implementing measures to prevent, detect, and respond to cyber incidents. One of the most crucial decision at the outset relates to resource allocation. Determining whether the elements of the cybersecurity continuity plan when implemented will be executed in-house, outsourced, or through a hybrid approach will likely lead your overall strategy.

Primary considerations within the strategic plan include:

  1. Planning the risk assessment expectations: This includes setting strategic objectives to ensure vulnerabilities, threats, and potential consequences of a cyberattack for both business continuity and return to normal operations are met. Once set, these strategies must also outline the expectations for comprehensive risk assessments associated.
  2. Developing a risk mitigation strategy: This encompasses methodologies for prioritizing risks, expectations for risk mitigation, and requirements for resource allocation. The focus here isn’t on detailing every specific action (that’s left to the experts), but rather setting expectations to maintain business operations.
  3. Establishing baseline security controls: In this section, high-level requirements for access control, data segregation, and systems management to prevent cyberattacks are defined.
  4. Setting minimum training and awareness expectations: This is intended to help employees understand their role in protecting the organization’s OT systems from cyber threats.
  5. Identifying regulatory requirements or expectations: Any organization must document its requirements and expectations related to relevant regulations, executive orders, and industry standards, such as NIST or IEC 62443.
The strategic pillar, therefore, involves planning and decision-making at a high level. It revolves around aligning cybersecurity efforts with broader business goals, setting the implementation objectives, managing resources, and fulfilling regulatory or design obligations.

The 3rd Pillar – Resiliency in OT Cybersecurity

Resiliency revolves around an organization’s ability to absorb and adapt to cyber threats or incidents. This encompasses creating processes and plans that minimize the impact of an attack, while maximizing the ability to operate processes that maintain safety and necessary facility operations.

Resiliency isn’t merely about recovering from an incident, but also involves ongoing adaptation and learning. It requires the organization to not just respond to attacks, but also to anticipate them, withstand them, and recover while continuously adapting and improving.

The effectiveness of business resiliency is fundamentally tied to how well the formulated strategy is implemented.

Defining Business Resiliency

In the context of cybersecurity, business resiliency can be defined as the ability of an organization’s cybersecurity program to prepare for, withstand, and recover from cyber threats or incidents without compromising the confidentiality, integrity, or availability of critical information assets.

In essence, resiliency is a measure of readiness to address concerns as they arise, more than just preventing cyberattacks. It gauges how swiftly an organization can respond to and recover from any damage caused should a cyberattack occur.

Implementing Business Resiliency

Assessments within the resiliency pillar help to answer key questions, such as:
  1. Does the organization have the necessary cybersecurity capabilities available to allow the business continuity plan to succeed?
  2. Does the organization have processes and technologies defined and implemented to prevent, detect, respond to, and recover from cyber threats or incidents?

Resiliency in business continuity and ‘return to normal’ requires a comprehensive approach that encompasses people, processes, and technology. It is this three-pronged focus that equips an organization with the best chance to operate safely, accurately, and predictably in the face of cyber threats and incidents.

Simply put, cybersecurity resiliency is about maintaining the ability to function effectively and recover from cyber incidents in the face of adversity. It can be seen as the armor that helps the organization not just withstand the attack, but also bounce back with minimal damage.

While business continuity sets the foundation and strategy outlines the roadmap, it is business resiliency that serves as the vehicle to carry the organization through the tumultuous journey of managing cybersecurity threats.

The 4th Pillar – The Finance of OT Cybersecurity

We now encounter our next crucial pillar – Finance. While the emphasis so far has been on planning and resilience, the importance of finance in ensuring a robust cybersecurity strategy cannot be understated.

The Relevance of Finance within OT Cybersecurity Planning

Whether an organization is for-profit or non-profit, the cost of ownership for cybersecurity measures is tangible and significant. As with all cost centers, OT cybersecurity must be balanced against the financial constraints of the business, its risk appetite, and the current cybersecurity posture.

The term ‘Cybersecurity Business Finance’ refers to financial aspects associated with a cybersecurity program for an organization’s OT systems and critical infrastructure. These financial aspects cover costs related to planning, preparation, mitigation, and ownership; most important and often forgotten is budgeting.

Key Elements of a Cybersecurity Financial Plan

  1. Budgeting: Addressing the organization’s budget targets is essential. The OT cybersecurity approach must include a prioritization method that allows for incremental cybersecurity improvements while addressing the most critical issues first.
  2. Cost Management: Managing the costs associated with the cybersecurity program ensures cost-effectiveness and efficiency in managing the organization’s cyber risks.
  3. Return on Investment (ROI): Consideration must be given to how well the available funds for OT cybersecurity are spent to return the greatest value. While certain areas, like compliance or safety are nevernegotiable but require funds, there can be such a thing as over-spending.
  4. Procurement: Procurement activities associated with cybersecurity technologies and services must be planned to ensure cost-effectiveness and efficiency while maintaining quality and reliability.
  5. Compliance: Compliance and regulatory requirements must never be overlooked. Meeting regulatory requirements and industry standards is not negotiable.
Given budget constraints, prioritization becomes a crucial aspect. A tool like the Common Vulnerability Scoring System (CVSS), provided by the National Vulnerability Database (NVD), offers a risk ranking for Common Vulnerability and Exposures (CVE’s). Additionally, PAS Cyber Integrity and Mangan’s ICSSbD® toolkit are examples that provide a risk-based approach merging business needs and available budgets with prioritization. Regardless of the tools used, financial considerations must include technical, non-technical, and business drivers specific to your industry and organization to formulate the most impactful and well prioritized cybersecurity plan. In summary, the finance pillar emphasizes the necessity of a robust financial strategy that aligns with the cybersecurity needs of the organization. This alignment ensures that the organization is investing wisely, focusing on the most critical areas first, and managing cybersecurity costs effectively, all while meeting compliance requirements.

The 5th Pillar - Culture in OT Cybersecurity

The final pillar we’ll be discussing in our exploration of the ‘Business of OT Cybersecurity’ is Culture. While all pillars are instrumental to a robust cybersecurity program, the cultural aspect plays a pivotal role as it is the glue that holds all the other elements together.

Important to Consider – The Interconnectedness of the Five Pillars

Before delving into the Culture pillar, it’s important to understand the interconnectedness of the five business pillars defined in this article. They are not independent silos; rather, each one builds on the previous one, forming a synergistic structure. A comprehensive, effective OT cybersecurity strategy necessitates integrating all these elements. Skipping one or more could lead to an incomplete or unsustainable cybersecurity posture.

Completing the Picture - Culture

Culture refers to the set of beliefs, values, and behaviors that an organization promotes to establish a strong security philosophy around its OT systems and critical infrastructure. The foundation of this pillar lies in the understanding and commitment that every employee must intuitively and repeatedly follow best practices and security policies to protect the organization’s OT systems.

Creating an innate and self-aware culture is not an easy task due to individual differences and potentially conflicting business objectives. Nevertheless, several opportunities can enhance the cybersecurity culture, including:

  1. Regular Training and Awareness Programs: Regular training helps employees understand their role in protecting the organization’s OT systems from cyber threats. This training encompasses cybersecurity best practices, policies and procedures, and incident response. Repeated reminders of applicable regulations and requirements are also necessary.
  2. Leadership and Accountability: Managers and senior leaders can set a positive example by demonstrating leadership and accountability, promoting a culture of security throughout the organization.
  3. Effective Communication Channels: Ensuring effective communication channels are in place can promote a cybersecurity culture. This can involve regular communication from senior leadership about the importance of cybersecurity or the organization’s commitment to security.
  4. Promoting Risk Management: Encouraging employees to identify and report potential security risks and incidents builds awareness, ownership, and organizational prowess.
  5. Continuous Improvement: Encouraging a culture of continuous improvement through regular reviews, lessons learned, and staying informed about marketplace trends and malicious activities, fosters a culture that can protect your organization from undue risks or cyberattacks. Remember that identification of a gap is not a business failure but rather a benefit that should be recognized as such.

Merging Five Pillars

Each of the pillars – Continuity, Strategy, Resiliency, Finance, and Culture – contribute to creating a business-driven OT cybersecurity strategy. To create a comprehensive plan that mitigates risks and prepares the organization to face cybersecurity threats, it’s essential to consider and integrate each of these pillars.

Completion of the OT Cybersecurity Picture with Business Pillars

The path to understanding your current OT cybersecurity profile and setting your target profile starts with a comprehensive asset inventory. This inventory, gathered from digital tools such as PAS Cyber Integrity, along with other known physical and non-physical assets, allows us to visualize the OT environment being assessed. By integrating the five business pillars we’ve discussed, we can create a more complete picture of an organization’s OT Cybersecurity posture and objectives.

From Comprehensive Analysis to Prioritized Action

It is not enough to plan, gather, and prepare when speaking of OT Cybersecurity. Once the components of asset inventories have been collected, aligned with risk assessments, and associated to business targets in a common environment, we must generate comprehensive analyses. Importantly, these analyses should be tailored to your specific facility, environment, and industry. Anything less would be generic at best.

The business of OT cybersecurity plays a pivotal role in achieving these results with as much specificity as you require or wish to create. Most crucially, it allows for a prioritization approach to OT cybersecurity that can adapt and implement to meet specific or desired objectives over time. Not everything needs to be budgeted or scheduled for completion on day one, but a plan must first exist.

Closing Thoughts on The Business of OT Cybersecurity

We’ve spent the past few minutes discussing the essential components for crafting an organization-specific cyber protection philosophy and approach. More significantly, we’ve highlighted the importance of considering YOUR business when planning for OT cybersecurity to reduce risks specifically catered to your needs.

We hope you found this information useful and that it’s provided you with a clearer understanding of the critical role that business objectives play in creating a comprehensive and effective OT cybersecurity strategy. Remember, the path to robust OT cybersecurity doesn’t begin with technology; it starts with understanding your business objectives and building a strategy that aligns with them.

Scroll to Top