As OT cybersecurity accountability shifts to CISOs, organizations are prioritizing business risk in industrial networks. The shift is long overdue.
Throughout the past decade, some things in the OT cybersecurity industry haven’t changed, or have changed very little. A small percentage of asset owners have detection tools deployed at scale, despite it being an established product market. Systems remain inherently vulnerable, asset owners continue to struggle to maintain OT cybersecurity talent and comprehensive risk management programs are very rare.
What has changed, however, is recognition of the risk, mindshare among organization leaders and regulations that are beginning to require punitive remedies, including legal and financial penalties under certain conditions. Recent examples of the latter include the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), which drove the requirement for covered entities to report cybersecurity incidents, and multiple Transportation Security Administration (TSA) directives, which place requirements for network segmentation, access controls, monitoring and detection and patching across transportation entities such as airports and railways.
“Are My OT Cybersecurity Investments Paying Off?”
These shifts are driving formal responsibility and accountability to CISOs, who, in turn, have started prioritizing business risk over mere technology. The question they increasingly ask themselves is, “For my OT cybersecurity investments, can I demonstrate the business outcomes it achieved?” What “business outcome” means will vary by project. It could be, has the monitoring and detection tool investment improved operational resilience/uptime in a measurable and demonstrable way? Or, have the security program improvements reduced the time needed for, and increased the accuracy of, compliance reporting? To put it simply, the question is: “Has what I’ve done even worked?”
That question has been notoriously difficult to answer. Even insurance providers — the actuarial masters of the universe with ostensibly the greatest amount of OT cybersecurity incident data on-hand — have struggled to quantify the risk for one simple reason: the numbers are too volatile. For practitioners, service providers and vendors, this poses both a challenge and an opportunity. While it is difficult to answer, those that can will certainly earn the attention (and the dollars) of CISOs.
Quantifying Risk Reduction with Before-and-After Data
For the industry to prove quantifiable business outcomes, we need to be able to capture, track and share before-and-after data that measures risk reduction post solution implementation. Projects to address this challenge exist, and more are in the works. One such example is the Emerging Threat Open Sharing (ETHOS) project, formed by a collection of organizations with a goal of making an open-source platform available for real-time, anonymous OT/ICS threat information sharing. When available, the ETHOS platform will allow organizations to be alerted when a security threat occurs at another participating organization, without disclosing any sensitive data about the source, and will be available to organizations regardless of what technologies they do and don’t have.
Reinforcing Consensus-Based Standards with Outcomes Data
Information sharing such as ETHOS will be an important step toward knowing whether what we’re doing on an industry level even working. It will also advance progress in other areas. Former Cybersecurity and Infrastructure Security Agency (CISA) director Jen Easterly has long professed the need for government and commercial collaboration to progress the industry and shore up our critical infrastructure defenses. Moreover, impact data is what will evolve leading OT cybersecurity standards, such as the ISA/IEC62443 series of standards, a consensus-based set of requirements and guidance, from being based primarily on expertise to being reinforced and refined by demonstrable data.
The shift in mindset towards business outcomes is not just timely but overdue. It will drive demand for much-needed data and analysis. It will promote collaboration between governmental and commercial entities – even competitors – and steer both users and vendors toward solutions that make a real impact.
