OT Cybersecurity Challenges for Leaders to Address in 2023
There are a number of challenges that OT security leaders will confront this year. The most prominent ones will result from an ever-expanding threat landscape, new government regulations worldwide, compliance becoming more complicated, and the cybersecurity skills gap that makes it difficult to fulfill OT and IT staffing needs.
Below is a deep dive into these key challenges that I foresee coming in 2023 for CISOs. This is followed by my recommendations for how best to handle them and better secure your organization.
Compliance vs. Security vs. Risk
The first key challenge for CISOs in 2023 will be the prioritization of OT security versus compliance versus risk. Honestly, this has always been an issue for CISOs—not just this year—but it will be exacerbated in 2023 as compliance and regulations continue to evolve to keep pace with the global economy and technology developments.
Defining OT Compliance
While compliance, security, and risk work together, they are not always in sync nor are they always balanced. This lack of balance can lead to great difficulties when trying to secure OT. Starting with compliance, let’s define it simply as the need to be compliant with policies, regulations, and rules written internally or handed down from government entities.
Comparing OT Compliance to Security
Compliance doesn’t necessarily mean security—it just means that when your organization complies with regulations, you have checked that box. The difference between compliance and security is best illustrated by looking at password protection. To be compliant, you must have a password. But if I want to be truly secure, then you will create a password with 8-16 characters.
Examining OT Risk
Now, let’s examine risk. It is a very different conversation. It’s a business conversation. Let’s use vulnerability management as an example to explain how risk works in a business. If you have a vulnerability, then you need to actually weigh that risk against all the work that has to be done to mitigate that vulnerability. I may want to assume that risk of that vulnerability being attacked because for a cybercriminal to take advantage of it, they would have to be 1) on-site, 2) use a specific credential, and 3) use a UB key to plug in. In this case, it’s a highly unlikely scenario to occur, so I'll assume the risk and take my chances.
My Recommendation
In the past, CISOs have been focused almost exclusively on security and frequently had a love/hate relationship with compliance. When discussions took place among an organization’s leadership, CISOs spoke from a security perspective, while CIOs were more in tune with the risk and business view. Now, due to the convergence of IT and OT, a change in conversation is required. For the organization to be better and fully protected, an expansion of all the stakeholders’ perspectives is required.
OT leaders need to be included in these conversations more than ever. Across IT/OT organizations, leaders must have a balance between compliance, security, and risk, making sure that all remain a priority. This will necessitate educating others on the importance of all three areas of concern, and the need to be an advocate. CISOs as leaders of their organization’s cybersecurity must find the balance within all three areas.
Barriers to Adopting Regulations
The European Union (EU) is leading the way with many new cybersecurity regulations. A good example of this is the General Data Protection Regulation (GDPR), which became law in 2018. The GDPR’s goal is to secure the personal data and user privacy of EU residents.
The United States has a number of new regulations for critical infrastructure approved by the federal government or are in the works. For example, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) will have a big impact in the coming months and years. One of the key elements of CIRCIA is that the Cybersecurity and Infrastructure Security Agency (CISA) “will be developing standards between now and September 2025 that will require certain entities to report cyber incidents and ransomware payments.”
The US tends to be slower in adopting critical infrastructure regulations because most infrastructure isn’t owned by the government, but rather by companies. Therefore, as government organizations create policies to better protect our critical infrastructure, it takes a lot of back and forth with government agencies, corporations, and lobbyists to enact an overarching policy or implement guidelines.
While most companies agree that regulations are important, time and resource constraints are always an issue for them. If security resources are already hard to find, OT security professionals are like purple unicorns.
My Recommendation
The solution for companies to adopt these new regulations is the well-documented challenge of closing the gap in cybersecurity awareness of all employees. This requires ensuring that all employees get the appropriate cybersecurity training and experience in IT/OT. This is critical because the cybersecurity battle will require the collective empowerment of all employees to have the knowledge and awareness to work together to protect themselves and their organization’s data.
Additionally, Fortinet’s skills gap report uncovered that training combined with certifications are ways in which organizations can further advance cybersecurity skills and provide a level of validation that can positively impact an employee and their team to perform their duties better.
How to Better Secure Your Organization
Taken together, the coming year is not without its challenges. But this is not to say these challenges cannot be tackled head-on with the right approach and solutions.
A good first step would be to implement a zero-trust security model. It’s no longer safe to assume that just because a device is connected to the network, it should have access to everything. A zero-trust implementation involves a process of “never trusting, always verifying” to ensure that users only have access to what is absolutely necessary. This is especially important as IT and OT convergence continues and even OT workers are more dispersed and remote.
Another effective ransomware prevention technique is deception technology, designed to attract cybercriminals away from an organization’s true assets, and towards a decoy or a trap. By doing so, not only are you protecting your organization’s legitimate assets, but you also have full visibility into the cybercriminal’s behavior, allowing your teams to strengthen security and prevent similar attacks from happening in the future. This is some of the best intelligence you can obtain, real live intelligence from your environment.
Finally, adding threat intelligence and security services across everything is the final step to achieving consolidation to accelerate digital initiatives while maintaining safety and reliability. Integrated with your security solutions, security services counter threats in real-time with AI-powered, coordinated protection. This enables fast detection and enforcement across the entire attack surface.
