Securing Operational Technology - Cyber Risk Insights Revealed
Basically, operational technology is now at risk as it connects more with IT systems.
A new Fortinet podcast episode highlights the cyber risks facing operational technology. As IT and OT systems converge, critical industries must adapt to ensure safety and security. Leaders are urged to prioritize visibility and collaboration to protect essential services.
What Happened
In the latest episode of Fortinet's podcast series, Brass Tacks: Talking Cybersecurity, the focus is on the growing cyber risks associated with Operational Technology (OT). Host Joe Robertson interviews Hossain Alshedoki from KPMG, discussing how critical industries are increasingly vulnerable to cyberattacks as OT systems become interconnected with IT environments.
Why OT is “New” to Being Online
Traditionally, OT systems operated in isolation, prioritizing safety and reliability over connectivity. These systems control essential physical processes like energy generation and manufacturing. However, the push for digital transformation is changing this landscape, exposing OT systems to cyber risks that IT has been managing for years.
Controlling the Physical vs. the Virtual
The distinction between IT and OT is crucial. IT deals with virtual processes, while OT governs physical realities. A failure in IT might lead to data loss, but in OT, it could result in physical damage or even risk to human lives. This difference necessitates a unique approach to understanding and managing cyber risks in OT environments.
Understanding the OT Landscape
Alshedoki breaks down the OT environment into its core components, including Industrial Control Systems (ICS), Supervisory Control and Data Acquisition (SCADA) systems, and Programmable Logic Controllers (PLCs). As these systems evolve into cyber-physical systems, the complexity increases, necessitating a shared vocabulary and understanding between IT and OT teams.
IT/OT Convergence is Accelerating
The convergence of IT and OT is not a new phenomenon but has gained momentum. Organizations are now seeking to enable data flow from the factory floor to the boardroom, requiring new architectures that support this integration. However, merging these networks is not straightforward; it requires deliberate planning and security measures.
Culture is the Hardest Part
Cultural differences between OT and IT teams pose significant challenges. OT engineers focus on uptime and safety, while IT security teams prioritize data confidentiality and integrity. Bridging this gap requires building trust and fostering collaboration across teams.
Visibility Comes Before Automation
A key takeaway from the episode is that organizations need visibility into their OT environments before automating controls. Many OT environments lack accurate asset inventories or vulnerability insights. Understanding what assets exist and how they communicate is essential for meaningful security.
Extending IT Capabilities into OT—Carefully
Alshedoki shares examples of organizations successfully extending IT security capabilities into OT environments. This includes adapting security measures to OT realities while respecting operational constraints. Incremental improvements in resilience and visibility are the goals, rather than instant transformation.
Resilience is the Goal
The conversation emphasizes that the focus should be on outcomes rather than tools. As OT systems become more connected, leaders must balance security, safety, and operational continuity. This requires a cultural shift where IT and OT teams understand each other's priorities, ultimately securing the physical systems that societies rely on.