That may be because we are still evolving. For OT Security, we are now where we were in the early to mid-1990s with defining IT Security. Currently, the sentiment is that IT Cybersecurity folks know little about the fundamental differences in OT, while the OT engineers that own the systems march toward a different set of objectives.
As we further evolve OT Security, we will see alliances change the OT Security landscape, thereby solidifying OT Security as a unique discipline (and eventually a conscious career choice).
Having personally witnessed the evolution of Information Technology (IT) Security, I see the potential that we are repeating the challenges and gyrations of its early days of innovation—this time in the Operational Technology (OT) space. Once the industry finally surrendered to the notion that maintaining a true "Air Gap" between IT and OT environments was impractical, and an impediment to business-driven data sharing, we witnessed the floodgates open with an influx of vendors and technologies that fill “a” (sometimes perceived) security gap in OT. As we learned from IT, the "point solutions" will gravitate to one another, and security processes are streamlined through capability consolidation. The current era, driven by digital transformation and business-driven, process-related, information-sharing trends, places immense importance on OT security.
Cyber threats to OT have evolved from theory and speculation, like we saw coming from exercises like the Gartner-sponsored “Digital Pearl Harbor” event of 2002, into our new reality. These threats have not only materialized but have also grown in sophistication to the extent they are commoditized and sold as a service. As in the early days of IT Security, emerging point solutions clamor for the attention of senior leadership and budget. The situation is further complicated by the scarcity of engineers and other technical resources with a comprehensive understanding and focus on the entire corporate cybersecurity landscape. Exacerbating the dearth of talent, the OT security teams also need to possess a deep understanding of the Purdue Model's requirements, limitations, and processes. Looking for indications of compromise (IoC) in Industrial Control systems differs vastly from looking for IoCs in IT systems. This basic disparity between environments gives the OT security industry all three legs of the traditional cybersecurity triad, confidentiality, integrity, and availability (CIA) to massage and re-invent. For OT, maybe something more associated with the environment, like Reliable Access, Intended Functions, and Preserving Restrictions (AFR).
Déjà vu! As we saw in the IT Security space, forming strategic alliances has risen as a key strategy to foster innovation, share risks, and tap into new markets. More importantly, alliances help drive us to further define “true” OT Security.
The application of IT processes, policies, and technologies directly to OT can be as counterproductive as forcing a square peg into a round hole. Some of you may have heard me say, “Technology is not 'security' and 'security' is not technology.” Technology alone will not save your bacon. Technology is simply a tool to augment people and processes to achieve an acceptable level of risk management and make sound business decisions. However, the foundations of process and education need to evolve in tandem with technological transformation and improvement.
Our way forward crucially depends on pairing technologies that complement each other. The adoption of leading IT tools in OT, particularly with the onset of Industry 4.0, and the use of superior tools designed specifically for OT, will expand "OT Security" as a discipline. As tools evolve, so do people and processes. With the strategic alliances of key industry leaders, we will further define the maturation roadmap of OT Security. This evolution will drive higher learning and training opportunities. Strategic alliances unlock a multitude of benefits, such as shared resources, combined knowledge, and broadened customer reach.
Considering the opportunities and the proven strategic value of alliances in the OT security landscape, it is imperative for us to explore potential partnership avenues. To succeed, we must identify partners aligning with the strategic objectives of OT operators and commensurately grow the OT security discipline. Through the mutually beneficial nature of strategic alliances, we can capitalize on our unique strengths to spur exponential growth in the OT security domain. We should view exploring potential alliances as more than a necessity for advancing OT Cybersecurity—it's a strategic advantage for enhancing our security capabilities, expanding our market reach, and maintaining our lead in the rapidly evolving OT security landscape. I am happy to connect to discuss ideas or suggestions about OT Security, its evolution, or especially any gaps in (or a wish list for additional) capabilities.
No comments:
Post a Comment