As recent cyberattacks have demonstrated an increased risk to both IT and operational technology (OT) environments, resilience readiness today has evolved. It is more than a cybersecurity strategy and involves the enforcement of rules and policies that provide the visibility, control, and situational awareness to respond at the speed of business while ensuring that safety and reliability are maintained.
Fortinet’s CISO for Operational Technology, Willi Nelson, shares his perspective on considerations when developing cyber resilience, covering fundamentals and strategic planning, to protect the convergence of IT and OT environments.
Willi: In light of recent events spanning the last three to five years, there has been an uptake in readiness and awareness within the industry. From pipelines to pharma and transportation, boards are becoming involved in that discussion, which turns the readiness discussion away from just, “Are we prepared?” to now reporting on it. For example, some organizations have a dedicated individual that is working specifically on readiness across the organization. They are responsible for understanding whether threats are real and/or critical, but also what they should be doing and who they should call.
Willi: It’s all about awareness. The leadership, including boards and executives, is starting to have more awareness of their manufacturing facilities and operations. Security is becoming everyone’s problem. I think from an OT perspective, it’s back to partnering with your operation centers so they know what threats are real and what’s not. Automation engineers are extremely smart and very capable, but typically, operation centers don’t communicate with them. It is crucial that communication opens up between automation engineers and operators to determine an appropriate response. To some extent, it’s people, process, and technology, which goes back to fundamentals. We have to communicate and understand what is being dealt with. For example, if I do X, how does that impact the business? The process has to be dynamic. As threats change, your response plans are going to change as well.
Willi: From an inventory perspective, it starts with knowing what assets your organization currently has. Without visibility into your current assets, you can’t know what your inherited vulnerabilities are for example. If you have an asset that has never been patched, and it’s not on your list of current assets, you’re never going to get to it. When dealing with new vulnerabilities, you should ideally have visibility into all of it. You should be aligned with the business and operations, your architecture and engineering teams should be talking, and you should be partnered with security vendors. Once you’ve achieved this, you have progress.
Willi: When discussing solutions with OT leaders I usually mention some of the core items which can help build a foundation for the future. For example, I encourage them to consider segmentation to help control OT/IT convergence as it gradually increases. In addition, regardless of the state of current cybersecurity planning, it is important to remain focused on a journey to integrate disparate products into a platform approach, a cybersecurity mesh platform. Also, OT organizations should incorporate zero trust network access (ZTNA) into cyber plans. Even if not all employees are working remote, ZTNA has cybersecurity benefits across the extended network.