Debunking Myths: The Reality of Online Operational Technology (OT) Systems
In an era where digital transformation is pivotal, operational technology […]
Share This Article:
In an era where digital transformation is pivotal, operational technology systems have transitioned from being isolated or ‘air-gapped’ to being connected online. This shift has sparked numerous myths regarding their operation and security. Here’s some myths and some real-world facts from Anchoram’s view on the front lines of providing strategic advice to critical infrastructure system operators.
Myth 1: OT security can be managed separately from IT security.
Contrary to popular belief, OT security cannot be siloed from IT security due to increasing interconnectivity. Effective cybersecurity strategies require an integrated approach that encompasses both domains.
Perspective: This is an interesting one, and the devil is in the detail, many organisations cannot fund a dedicated OT security capability. Our approach is to perform a detailed risk assessment as to what services can be shared and where the demarcations lie. Understanding the operational imperative of what needs to be isolated and why will allow for a pragmatic and commensurate approach based on risk to mission critical operations.
Myth 2: Physical controls are sufficient for OT system protection.
While physical controls play a role in securing OT systems, they are not enough in isolation. As these systems go online, cybersecurity measures become equally important to safeguard against digital threats.
Perspective: Arguably, this should depend on the asset class as to what level of reliance a physical control should take, for example a remote asset that performs a low-risk function can be treated as untrusted and reliant on the security controls for the integration and underlying network
Myth 3: Regular patching keeps OT systems secure.
Patching is indeed crucial; however, it is not always feasible for OT environments due to system uptime requirements and compatibility issues. Therefore, organizations must employ additional protective measures such as network segmentation and continuous monitoring.
Perspective: It’s ok to have some squishy bits, the focus on the hard shell and risk defined and segmented zones and conduits can allow for limited patching of critical environments and ensure that operational requirements take precedence, that is not to say that as part of asset lifecycle that software versions and vulnerabilities should be included to ensure these upgrades take place.
Myth 4: Cybersecurity investments do not show clear value in risk reduction for OT environments.
This misconception undermines the importance of cybersecurity investments which can significantly reduce risks when tailored specifically for OT environments through risk assessments and targeted defences.
Perspective: Seems like a no-brainer that any investment in security will eventually provide a return on investment, as a single incident can mean a loss in production that is greater than the cost of a well-run security program.
By dispelling these myths with factual insights, organizations can better understand the complexities of securing OT systems in a connected world. This knowledge is crucial for developing robust cybersecurity strategies that protect critical infrastructure and ensure operational resilience.
In an era where digital transformation is pivotal, operational technology […]
Share This Article:
Categories
Subscribe
Subscribe to our newsletter and get the latest news and information from Anchoram.