Understanding the Business of OT Cybersecurity
As cybersecurity threats escalate in both number and complexity, a new frontier has emerged that demands special attention – Operational Technology (OT) cybersecurity. The unique challenge of protecting industrial control systems from cyber threats has businesses around the globe rethinking their approach. In this article, we will delve into what is meant by the ‘Business of OT Cybersecurity,’ dissecting its integral components and why they matter.
When we say the ‘Business of OT Cybersecurity,’ we’re referring to much more than just costs and control. There are numerous facets to this critical subject, all deserving of in-depth exploration and understanding. This is a complex field that touches on all areas of an organization and impacts stakeholders at every level. The objective here is to provoke action-oriented thoughts about dealing with OT environments from a distinct business perspective.
OT cybersecurity is a shared responsibility. It brings together diverse stakeholders – directors, managers, HR departments, admin, and accounting groups, as well as line workers. Everyone plays a vital role in determining the level of action within OT cybersecurity. The collective expertise of these individuals is what enables informed decisions that ensure business viability, even in the face of unwanted events.
The Five Core Pillars of Business-Driven Cybersecurity
- Continuity – This is where the minimum expectations are set, challenged, and verified. It revolves around sustaining critical operations in the face of potential disruptions.
- Strategy – This is the phase where operations and actions necessary to meet the expectations are defined. Mitigation approaches are developed that meet the continuity targets, keeping the business resilient in the face of threats.
- Resiliency – In this context, resiliency refers to the organization’s ability to recover from and minimize the impact of an attack while maintaining safety and availability of critical facility operations.
- Finance – This pillar involves ensuring that the OT cybersecurity program is measured and managed in a financially responsible manner. The goal is to address all necessary points without unnecessary expense and within acceptable budget constraints while maximizing return on investment.
- Culture – Without a culture that embraces OT cybersecurity’s importance in critical processing or manufacturing, all other objectives are likely to fall short. This culture shift comes through training, communication, and management.
The 1st Pillar - Business Continuity for OT Cybersecurity
Let’s explore the first pillar of the ‘Business of OT Cybersecurity’ – Business Continuity. This pillar sets the tone for the balance of the business requirements when discussing cybersecurity. It answers the pivotal questions that lay the groundwork for future actions and the strategic direction of the business’s cybersecurity framework, risk appetite, and recovery objectives.
Business Continuity refers to the organization’s ability to continue its essential business operations, including its OT systems and critical infrastructure, amidst cyber threats or incidents. In essence, it’s about maintaining systems availability and control of crucial operations, even if OT systems are compromised. These strategies may encompass technical and non-technical responses, such as manual operations, additional personnel, or enhanced security protocols. Cybersecurity Business Continuity planning prompts important questions, including:
- What is my organization’s risk appetite?
- How much risk is acceptable or tolerated?
- What are the maximum Mean Time To Recovery (MTTR) targets?
- Are there other drivers (e.g., regulations, budgets, outside forces)
These questions facilitate the understanding of an organization’s risk tolerance and its ability to recover from incidents. For instance, the maximum MTTR targets will define tolerated costs and time to recover from an incident, including essential operations and return to normal.
Recognizing that all business processes and functions are vital to meeting total business needs (i.e., return to normal), not all are essential to its minimal operation. Identification of these crucial functions, processes, and systems is precisely what the business continuity plan aims to define and protect.
Additionally, external drivers like regulations, budget constraints, and outside business forces can significantly influence cybersecurity decisions. While they may not directly address cybersecurity concerns, they may impact our ability to respond unless mitigated. They must therefore be taken into consideration while developing business continuity objectives.
A well-prepared business continuity plan is an essential asset. The document envelops the impact analysis results and the strategic and resiliency components to ensure proper recovery in case of an incident. The time to consider what to address, the depth of recovery efforts, the tolerance for risk, and many other factors is before an event requires it. Proactivity triumphs every time, as decisions made in haste can prove costly and may overlook key requirements.
A robust business continuity plan should minimally include:
- Results of the business impact analysis.
- A high-level risk assessment identifying major threats and vulnerabilities.
- Risk mitigation strategies.
- Incident response with references to detailed plans as necessary.
- The continuity plan itself to maintain critical business processes and systems in the event of a cybersecurity incident. This includes approaches for backup, recovery, resource expectations, and plans to resume normal operation beyond critical recovery.
The 2nd Pillar - Strategy in OT Cybersecurity
When we talk about strategy, it’s tempting to dive straight into the technical details. However, in the context of planning your OT cybersecurity approach, the term “strategy” leans more towards alignment with broader business objectives rather than technical specifics.
A business -level strategic approach to OT cybersecurity involves identifying and assessing the risks to an organization’s OT systems, developing a risk management strategy, and implementing measures to prevent, detect, and respond to cyber incidents. One of the most crucial decision at the outset relates to resource allocation. Determining whether the elements of the cybersecurity continuity plan when implemented will be executed in-house, outsourced, or through a hybrid approach will likely lead your overall strategy.
Primary considerations within the strategic plan include:
- Planning the risk assessment expectations: This includes setting strategic objectives to ensure vulnerabilities, threats, and potential consequences of a cyberattack for both business continuity and return to normal operations are met. Once set, these strategies must also outline the expectations for comprehensive risk assessments associated.
- Developing a risk mitigation strategy: This encompasses methodologies for prioritizing risks, expectations for risk mitigation, and requirements for resource allocation. The focus here isn’t on detailing every specific action (that’s left to the experts), but rather setting expectations to maintain business operations.
- Establishing baseline security controls: In this section, high-level requirements for access control, data segregation, and systems management to prevent cyberattacks are defined.
- Setting minimum training and awareness expectations: This is intended to help employees understand their role in protecting the organization’s OT systems from cyber threats.
- Identifying regulatory requirements or expectations: Any organization must document its requirements and expectations related to relevant regulations, executive orders, and industry standards, such as NIST or IEC 62443.
The 3rd Pillar – Resiliency in OT Cybersecurity
Resiliency revolves around an organization’s ability to absorb and adapt to cyber threats or incidents. This encompasses creating processes and plans that minimize the impact of an attack, while maximizing the ability to operate processes that maintain safety and necessary facility operations.
Resiliency isn’t merely about recovering from an incident, but also involves ongoing adaptation and learning. It requires the organization to not just respond to attacks, but also to anticipate them, withstand them, and recover while continuously adapting and improving.
The effectiveness of business resiliency is fundamentally tied to how well the formulated strategy is implemented.
Defining Business Resiliency
In the context of cybersecurity, business resiliency can be defined as the ability of an organization’s cybersecurity program to prepare for, withstand, and recover from cyber threats or incidents without compromising the confidentiality, integrity, or availability of critical information assets.
In essence, resiliency is a measure of readiness to address concerns as they arise, more than just preventing cyberattacks. It gauges how swiftly an organization can respond to and recover from any damage caused should a cyberattack occur.
Implementing Business Resiliency
- Does the organization have the necessary cybersecurity capabilities available to allow the business continuity plan to succeed?
- Does the organization have processes and technologies defined and implemented to prevent, detect, respond to, and recover from cyber threats or incidents?
Resiliency in business continuity and ‘return to normal’ requires a comprehensive approach that encompasses people, processes, and technology. It is this three-pronged focus that equips an organization with the best chance to operate safely, accurately, and predictably in the face of cyber threats and incidents.
Simply put, cybersecurity resiliency is about maintaining the ability to function effectively and recover from cyber incidents in the face of adversity. It can be seen as the armor that helps the organization not just withstand the attack, but also bounce back with minimal damage.
While business continuity sets the foundation and strategy outlines the roadmap, it is business resiliency that serves as the vehicle to carry the organization through the tumultuous journey of managing cybersecurity threats.
The 4th Pillar – The Finance of OT Cybersecurity
The Relevance of Finance within OT Cybersecurity Planning
Whether an organization is for-profit or non-profit, the cost of ownership for cybersecurity measures is tangible and significant. As with all cost centers, OT cybersecurity must be balanced against the financial constraints of the business, its risk appetite, and the current cybersecurity posture.
The term ‘Cybersecurity Business Finance’ refers to financial aspects associated with a cybersecurity program for an organization’s OT systems and critical infrastructure. These financial aspects cover costs related to planning, preparation, mitigation, and ownership; most important and often forgotten is budgeting.
Key Elements of a Cybersecurity Financial Plan
- Budgeting: Addressing the organization’s budget targets is essential. The OT cybersecurity approach must include a prioritization method that allows for incremental cybersecurity improvements while addressing the most critical issues first.
- Cost Management: Managing the costs associated with the cybersecurity program ensures cost-effectiveness and efficiency in managing the organization’s cyber risks.
- Return on Investment (ROI): Consideration must be given to how well the available funds for OT cybersecurity are spent to return the greatest value. While certain areas, like compliance or safety are nevernegotiable but require funds, there can be such a thing as over-spending.
- Procurement: Procurement activities associated with cybersecurity technologies and services must be planned to ensure cost-effectiveness and efficiency while maintaining quality and reliability.
- Compliance: Compliance and regulatory requirements must never be overlooked. Meeting regulatory requirements and industry standards is not negotiable.
The 5th Pillar - Culture in OT Cybersecurity
Important to Consider – The Interconnectedness of the Five Pillars
Completing the Picture - Culture
Culture refers to the set of beliefs, values, and behaviors that an organization promotes to establish a strong security philosophy around its OT systems and critical infrastructure. The foundation of this pillar lies in the understanding and commitment that every employee must intuitively and repeatedly follow best practices and security policies to protect the organization’s OT systems.
Creating an innate and self-aware culture is not an easy task due to individual differences and potentially conflicting business objectives. Nevertheless, several opportunities can enhance the cybersecurity culture, including:
- Regular Training and Awareness Programs: Regular training helps employees understand their role in protecting the organization’s OT systems from cyber threats. This training encompasses cybersecurity best practices, policies and procedures, and incident response. Repeated reminders of applicable regulations and requirements are also necessary.
- Leadership and Accountability: Managers and senior leaders can set a positive example by demonstrating leadership and accountability, promoting a culture of security throughout the organization.
- Effective Communication Channels: Ensuring effective communication channels are in place can promote a cybersecurity culture. This can involve regular communication from senior leadership about the importance of cybersecurity or the organization’s commitment to security.
- Promoting Risk Management: Encouraging employees to identify and report potential security risks and incidents builds awareness, ownership, and organizational prowess.
- Continuous Improvement: Encouraging a culture of continuous improvement through regular reviews, lessons learned, and staying informed about marketplace trends and malicious activities, fosters a culture that can protect your organization from undue risks or cyberattacks. Remember that identification of a gap is not a business failure but rather a benefit that should be recognized as such.
Merging Five Pillars
Completion of the OT Cybersecurity Picture with Business Pillars
From Comprehensive Analysis to Prioritized Action
It is not enough to plan, gather, and prepare when speaking of OT Cybersecurity. Once the components of asset inventories have been collected, aligned with risk assessments, and associated to business targets in a common environment, we must generate comprehensive analyses. Importantly, these analyses should be tailored to your specific facility, environment, and industry. Anything less would be generic at best.
The business of OT cybersecurity plays a pivotal role in achieving these results with as much specificity as you require or wish to create. Most crucially, it allows for a prioritization approach to OT cybersecurity that can adapt and implement to meet specific or desired objectives over time. Not everything needs to be budgeted or scheduled for completion on day one, but a plan must first exist.
Closing Thoughts on The Business of OT Cybersecurity
We’ve spent the past few minutes discussing the essential components for crafting an organization-specific cyber protection philosophy and approach. More significantly, we’ve highlighted the importance of considering YOUR business when planning for OT cybersecurity to reduce risks specifically catered to your needs.
We hope you found this information useful and that it’s provided you with a clearer understanding of the critical role that business objectives play in creating a comprehensive and effective OT cybersecurity strategy. Remember, the path to robust OT cybersecurity doesn’t begin with technology; it starts with understanding your business objectives and building a strategy that aligns with them.