How to build an operational technology risk management strategy

Cyber attacks on operational technology (OT) have been on the rise in recent years. According to McKinsey & Co, approximately 90 per cent of manufacturing organizations were hit by some form of cyber attack affecting their production process or energy supply.

When compared with IT attacks, cyber attacks on OT could carry heavier risk to health and safety, reputation and cost due to the nature of manufacturing. Cyber security is, therefore, fast becoming a top priority for companies operating in the manufacturing sector.

We caught up with Sam Taylor, cyber security project manager for OT and information technology at waste-to-energy operator Enfinium, at All Access Cyber Security Global to gain insight into the threat landscape, necessity and challenges in enhancing OT risk strategies.

The threat landscape for OT for 2023

The focus of cyber security teams working in risk management has previously been on IT threats given the strong link to corporate security. As Taylor (pictured right) points out: “In the past this has led to considerations for operational security being left behind.” The nature of high-cost technology in the operations of manufacturing has also led to a situation where some manufacturing plants operate with equipment that is more than a quarter-of-a-century old.

Previously, in a situation where manufacturing networks were segregated from the rest of the company’s network, little attention was necessary to the security of these networks. Now, in an age of interconnectivity and the harnessing of vast reserves of data, companies want to access information previously protected through segregated networks. While necessary for the modern world this also comes with vulnerabilities that must be addressed.

The issue for OT risk is compounded by the rise in Internet of Things (IoT) and Industry 4.0. Innovative IoT solution platforms are becoming commonplace across industries due to the provision of full visibility in assets, resources and processes. While they will likely become industry-standard for the manufacturers of tomorrow, they add to an ever-broadening threat surface for OT.

Getting started with managing OT risk

When an organization opts to enhance its OT risk management strategy Taylor says the best place to start is by designing a set of rules, policies and procedures to effectively manage the risk. These rules, he notes, often have a basis in the international standards provided by the NIST Risk Management Framework and IEC 62443.

Once the rule framework has been established, it is time to move onto the management phase of the strategy. As Taylor notes: “The difficulty with setting out any rules is that people have to follow them for them to be effective.” To succeed in effective management of OT risk, resources should be in the right place.

The next step in operational risk management is enhancing visibility in the OT network. Through enhanced visibility, an organization will be able to see the assets in its network and how they interact. Questioning why they interact with each other and whether some assets should interact is vital when considering vulnerabilities, Taylor remarks.

The challenge comes when securing the assets in the network. Unlike IT, assets such as manufacturing machines do not take kindly to traditional cyber security solutions. When applying a traditional antivirus solution to manufacturing equipment, there is often the potential to do more harm than good. Taylor says that manufacturing assets, therefore, require specific cyber security solutions which has given birth to a fast-growth industry.

To demonstrate the specific nature of OT security, Taylor offers the example of patching. In IT security, the approach tends to be to look to patch everything wherever possible. In OT security, however, some solution providers recommend delaying due to vast variables and increased consequences of risk.

The final step in setting out OT risk management is threat detection and response, which involves using increased visibility to set up an alert system from which a cyber security team can respond to potential threats effectively.

The challenges in OT risk management

One of the most difficult challenges is achieving and maintaining consistency across sites. Given the nature of manufacturing, it is near impossible to operate from one site alone. Difficulties in varying assets, cyber awareness and willingness to address threats are often faced at different levels across sites. Communication is key when achieving buy in from those stakeholders the strategy relies upon, whether they be in the C-suite or on the factory floor.

A more unique challenge faced by those in OT risk management is the need for extensive downtime in the process of managing risk. Shutting down production is a burden to any manufacturer and leads to heavy costs, logistical issues and potential reputational damage. Again, communication as to necessity for action is important but planning transparency is key.

Being transparent about the time-cost for implementation of a solutions is important in maintaining realistic timelines. Effective planning within strict timelines to minimize negative impact is essential.

Given the nature of OT, the risk assessment must go beyond considerations for cyber security to a holistic risk management. An example of this is operational efficiency, while a piece of equipment may have zero vulnerabilities versus a modern replacement if it is near broken it still need to be replaced.