I’ve been impressed by the resilience of so many organisations over the past eight months to rapidly pivot to new solutions and systems to handle a distributed environment. As they have driven digital innovation and brought change to everything, from connectivity and teamwork to how infrastructure is organised to accommodate major changes in market and operating models, each organisation has become a technology company. Security departments have worked to secure networks, operations, and data around the clock while ensuring performance and driving competitive advantage.
We realise that COVID is not going anywhere any time soon as we look ahead and that the new remote work environment will proceed. Not only because of need, but also because it fits best for them and makes good economic sense for many workers and employers. Following examples from other technology firms, Microsoft is letting workers work indefinitely from home. But businesses are preparing for hybrid working conditions even across vital infrastructure industries, such as banking, engineering, oil and gas, electricity, mines and chemicals. They have found that their organisational technology (OT) environments can be assisted, at least partly, by remote staff, and some have also recorded an increase in company efficiency.
We should also assume that opponents will continue to escalate threat activity against all vital infrastructure, as they attempt to take advantage of an expanding attack surface and legacy devices that are already connected to the internet but have never been built to endure security threats associated with the internet. A couple of months back, the U.S. A notice was provided by the National Security Agency ( NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) saying, “We are in a situation of enhanced tension and additional danger and exposure” through OT and control networks that are essential to operations and are thus useful to attackers. The security discrepancy between IT and OT networks’ risk posture also makes them a blind spot for organisations.
So, while we have pivoted rapidly to bring new solutions and processes in place to solve a new, distributed paradigm, what are we going to do next? How do we take advantage of what we have learnt this year, build on the shift of attitude that it is possible to move rapidly, and adapt it to capture the opportunity for OT security of 2021? To help you build upon your success, here are three areas of focus.
1. Budget. Increasingly, Fortune 500 businesses have the support of their board of directors and the budget to minimise disruption to ensure the uptime to availability of their OT networks. Digital transformation is a must. In fact, according to a recent McKinsey & Company report, large companies will invest even more on the key security controls that allow a dispersed workforce and infrastructure over the next 12 months. However, if the team’s buy-in and budget remain a concern, do a security posture review to determine the status of the security of the OT network and the delta where you need to be to minimise harm. Map the outcomes to activities that help the company maximise remote work, connectivity, teamwork, and the OT ecosystem itself, with protection as a required factor. Showing what is needed to continue to safely push performance and competitive edge will help you make a case for the budget you need.
2. Acceleration and elasticity. The next year is critical for industries, offering a major chance to drive digital change and improve resilience. Start out by holistically speaking about protection and the networks. Adversaries don’t think individually of these networks and you shouldn’t either. A network is a network for them, but threats are interconnected. The NSA / CISA alert provides large alerts of an immediate and significant danger in all 16 essential infrastructure industries, as well as long, extensive sets of guidelines to secure OT ecosystems that facilitate a systemic approach to risk reduction. Acceleration and sustainability need, not piecemeal, systems to be applied around the board. Think about how to expand the key security controls and governance mechanisms to include OT without compromising efficiency or downtime, and look at options that have the platform strategy to minimise complexity and speed up deployment.
3. Processes Simplify. The days of a “crawl, walk, sprint” technique are gone. Our training over the past few months has taught us that we should run right away. The trick to getting going rapidly is to simplify where you can, don’t mull it through. Use current processes and the facilities you have, and in the rest of the technology stack, capable OT security vendors will develop their solutions. To have all of the monitoring details you need to track for risks, they will exploit the inherent features of the OT networks, which collect data-rich traffic. They can also incorporate related OT data into the majority of the processes running your infrastructure equally well, such as asset discovery and maintenance, workflow management, and platforms for consolidated threat identification. IT and OT teams should work together instead of doubling efforts, using a full picture around the threat surface to control OT networks with the same procedures and monitoring metrics.
This past year we have all been through a lot, but we have risen to the challenge. It can seem overwhelming to look forward to 2021 and a continuity of existing restrictions. But the synergistic advantages will propel you much more as you work on these three fields. Process simplification helps to allow acceleration and flexibility and optimises expertise, time , and budget for the capital. We’re looking at an organisational breakaway year, where you can take the opportunity for OT defence and drive digital innovation into the future.