teissTalk: Measuring the return on security investments for Cyber-Physical Systems

Views on news

Several state-linked threat groups known for breaking into operational technology (OT) networks have shifted their focus over the past year from gaining and maintaining access to actively mapping out ways to disrupt physical industrial processes. The shift poses a significant threat because fewer than one in 10 OT networks have monitoring in place to detect such activity. Old classifications of IT and OT are becoming obsolete. While the IT layer of manufacturing companies is often best of breed, their industrial business is lagging behind in terms of security. Formerly isolated plants have also been gradually opening up access to cloud management services since Covid without ensuring these systems are cyber resilient. When connecting these systems, they often forget about segmentation too. The tangible, physical nature of OT also suggests that less heed should be paid to less visible cyber attacks. Disruption, however, also offers opportunities to innovate. 

 

How can OT catch up

Frameworks are there to help businesses to integrate security into physical systems by design. However, currently, equipment used OT is often 30 years old and wasn’t built with security-by-design in mind. Moreover, EDR, the be all and end all of IT, can’t typically be installed on OT equipment, as it is often too old to run cyber tools. Companies that are not in scope for the EU’s Cyber Resilience Act (CRA) shouldn’t feel relieved but should think of how they are putting other, compliant companies at risk by opening back doors to their systems. They should, instead, see regulations as guidelines they can rely on to become more resilient. That said, regulation should be seen as the bare minimum. 

Although cybercrime stats may sound like scare mongering, they can bring home legitimate risks. Too much responsibility is being laid on those who operate the technology, freeing the rest of the supply chain from the consequences of their mistakes or negligence. Security by design doesn’t only mean new products with better architectures but also how a security layer can be embedded into legacy equipment, while also extending their longevity. The problem that both IT and OT share is the lack of system visibility. However, OT is lagging behind IT here too, still often working from spreadsheets and therefore devoid of real time data. OT also needs real time monitoring, to see not only what assets do when they are online but also how they are communicating with each other – although today’s systems are so complex and spread out that full visibility is not achievable. 

 

The panel’s advice

• If you can’t remediate a risk thanks to old equipment, you must mitigate it. If you can’t stop it, at least use segmentation and monitor it.
• Today, both OT and IT must cope with “unknowability.”
• As a cyber security expert, think of what might go wrong and ask yourself: “Can we cope?”
• Get ready to answer these questions for the board: what is this asset? what is its function? What it talks to?