Industry Trends

COOs and the Evolving Prioritization of OT Cybersecurity

By Peter Newton | April 06, 2020

Today’s Operational Technology (OT) environments are experiencing dramatic change. While these networks were once completely separated from IT, the need to create more agile and responsive OT environments through the addition of IT technologies means this is no longer the case. Thanks to innovations in the industrial sector, including the rapid introduction of IoT and IIoT (Industrial IOT), the once distinct IT and OT environments have now begun to merge. As the roles of these networks evolve, Chief Operating Officers (COO) have had to adjust the management of these environments.

A recent report by Fortinet examined the changing role of the COO from this perspective. Given that the connected world has been battling a new era and generation of threats and concerns for some time, the introduction of IT onto the production floor or manufacturing yard has given rise to a host of new security issues in addition to those targeting more traditional OT systems and processes. As a result, chief among the changes that COOs now face is how to deploy and manage cybersecurity for OT. 

What follows are revelations from this recent report on OT and the COO about current priorities and evolving challenges in this rapidly transforming sector, as well as how some of its chief players are currently weathering the technology disruption of this sector.  

Companies Increasingly Rely on COOs for OT Cybersecurity 

75% of companies place responsibility for cybersecurity squarely on the shoulders of their COO, which is why an overwhelming majority of COOs are regularly involved in the creation of cybersecurity strategies. And when considering their overall propensity for risk, COOs must increasingly factor OT security into their equation, resulting in increased responsibility for the COO. Even those COOs who are not yet regularly involved in this process are still expected to provide occasional input, which means being familiar with the challenges at play.

The report further highlights that nearly every organization must now deal with multiple intrusions each year. 89%, report having faced OT outages due to a long list of threats, including malware, spyware, phishing, mobile security breaches, insider breaches, zero-day attacks, and ransomware. In addition to disrupting business, damaging operations, and exposing workers and others to physical risks, OT outages can also damage the reputation of the COO since the metrics for their success rely on factors directly impacted by these outages, including cost efficiency, productivity, and safety. 

Part of the challenge is that the role of the COO is already quite broad, and for many, the expansion of their responsibilities to not only include cybersecurity, but the protection of their OT environments has many feeling spread too thin. For example, many COOs report that they are now directly involved in making purchasing decisions for OT cybersecurity. Fortunately, for more than 75% of the COOs surveyed, there was an increase in their security budgets in 2019. But the challenge is ensuring that these resources are spent in the most effective way possible when there is limited time available for solution analysis and review. 

Key Challenges Faced by COOs

With disruption in the air, expanding security-related responsibilities, and far too many decisions to make, today’s COOs face more than their fair share of challenges. As the report highlights, the majority of their challenges related to cybersecurity stem from the following: 

  1. Staying abreast of the advanced threat landscape.
  2. Seeing and developing a consistent strategy for securing the expanding attack surface.
  3. Addressing the increased complexity in both network systems and cyberattacks without creating a new challenge related to security vendor and solution sprawl.

These issues come at a time when most COOs are already under enormous pressure to modernize and expand network operations, such as adopting a multi-cloud strategy, addressing the growing challenges of mobile workers and the influx of IoT devices, and transitioning branch office connectivity to SD-WAN. Workloads are growing, the number of business-critical applications is expanding, job stress is rising, and staying on top of cybersecurity just keeps getting more complex. 

Orchestrating these challenges while staying on top of risk management is a juggling act that can quickly overwhelm COOs who don’t have an effective strategy in place. A dropped ball now may result in a cybersecurity event later that could devastate the organization and end a promising career. Which is why 77% of COOs surveyed cited the complexity of cyber threats as the top reason why risk management was their biggest headache. 

And when compared to CISOs and CIOs, that complexity has more of an impact on their outlook. As a result, COOs are more likely to prioritize risk management than their C-Suite colleagues. 

Best Practices for COOs

So, what are COOs doing in the face of these trends and threats? The report cited the following Best Practices for COOs to follow:

  • Schedule regular compliance reviews, especially for newly connected OT environments. This can be accelerated and simplified by deploying security tools designed to automatically address and report on compliance.
  • Make cybersecurity a priority among top executives. Regular updates on the state of cybersecurity, especially in new project areas such as cloud adoption or IT/OT convergence efforts, and the current set of risks and challenges is an excellent way to keep the c-suite and board members aware of, and prepared for, cyber events.
  • Create a plan to strengthen security over time. OT networks are notoriously open environments, allowing cybercriminals to roam freely and dwell undetected for months. These objectives should be part of any security development strategy.
    • Maintain an accurate assessment of who is on the network and what resources they have access to. An accurate inventory of every device, including their security state (patch level, OS, applications, etc.), helps track indicators of compromise (IOCs) and identify devices at risk for updating or monitoring. 
    • Add multifactor authentication to ensure that users and devices are accounted for, and enables the proper assignment of privileges based on policy at the moment of access. 
    • Consider a Zero Trust Network Access strategy to ensure that users only have access to the minimum level of resources required to do their jobs. 
  • Report the results of regular penetration and intrusion testing. Executives and board members need to understand the risks the organization is facing so they can allocate resources and absorb potential risk into their planning.

Final Thoughts

When it comes to securing OT environments, COOs play a leading role within their organizations. However, on top of this responsibility are the challenges they already face with the duties traditionally assigned to their role. By following certain best practices, however, including reporting and tracking the right metrics and regularly conducting compliance reviews and security tests, COOs can find and maintain success in spite of the increasing complexity of their responsibilities. 

Learn how Fortinet can help you extend security from the data center, to the cloud, and to the network perimeter in even the toughest of ICS/SCADA environments.

Read these customer use cases to find out how Echoenergia and this major oil and gas company used Fortinet’s OT Security Solutions to protect their distributed networks and critical infrastructure.