Business continuity starts with insight: why OT cybersecurity must change

OT: the forgotten link

The Cybersecurity Assessment Netherlands 2024 outlines a worrying situation. Operational technology plays a central role in vital processes, however it is becoming increasingly intertwined with IT. 'This significantly increases the attack surface,' the study's authors argue. 'Cybercriminals are showing an increasing interest in compromising OT systems, while at the same time they are deploying malware types for sabotage.' 

'The state of cybersecurity in OT environments is alarming,' says Koning, who has 20 years of valuable experience in the OT domain, from engineer to consultant on large-scale industrial projects. 'There are companies that have a high level of maturity, but there is a lot of room for improvement across the board, including government, semi-government and corporate.'

This is because many companies primarily look at IT from a strategic perspective, says Koning. 'The factory is seen as one, single, big black box: goods come in and products go out. If a director has a problem opening a file, they call IT. Stated in slightly strong wording: IT is more often the lifesaver, so that's where most investments are made.'

Why IT Rules Don’t Work for OT

One of the key trends - or trend words – of the last couple of years is: IT/OT integration. 'If you look closely at what the integration between IT and OT entails, you can see that more and more generic IT systems are being applied within OT to exercise control in this domain.'

However, that creates a dangerous misconception, according to Koning. 'IT and OT both require a different approach. Within IT, you usually use generic solutions in a generic way. Windows, Office: it’s software that we all use in the same way. So you can also take a single approach for the way in which you organise and protect things.' The same sentiment does not apply to operational technology.

Danger of centralised management

So in practice, those systems are still regularly mixed up, for example OT user management that is performed by the IT department. 'This sounds logical,' says Koning. 'But a common mistake is that it is often done centrally, by logging in once.'

'An IT administrator may well perform OT management, but let him log into another environment with separate credentials. If you don't do this and something happens in IT, your OT systems are also at immediate risk. You just have to separate things like this.'

From firewall thinking to process thinking

A large part of Koning's role consists of creating awareness. 'A situation I come across time and again: I talk to someone who is responsible for several factories in the Netherlands. Then I ask: what have you done about cybersecurity for OT? And the answer is: 'Yes, we have a firewall.' OK, but is it validated? What else are you doing? How are you dealing with your work processes? How do you deal with suppliers, with third parties, with maintenance parties?'

The problem often lies in the technical focus. 'A lot of OT specialists start out as technical professionals, so they often only think from a technical perspective and sometimes forget the entire people and organisation part.'

'You can build a very nice firewall and an expensive barrier between IT and OT, but as long as a maintenance contractor can just walk into the factory and still plug in a laptop somewhere and spread misery on a network without knowing it, you are still vulnerable.'

Risk-driven working

The solution begins by creating the right insights, says Koning. 'The most important thing is an open dialogue: where do you stand? For organisations that don't know where they stand, it starts with a maturity quick scan. It’s very simple and low-threshold: where do you stand in the big picture? For organisations with more insight, this is followed by an OT cybersecurity risk assessment.'

'You take a risk-driven approach: what are the real risks and what are the financial consequences? What are the consequences for security and the environment? It makes no sense to invest a million if your potential damage is no more than a hundred thousand. But if you have a chemical plant where an incident requires an entire village to be evacuated if something goes wrong, you are dealing with entirely different risks.'

Follow-up steps include design reviews, aimed at gaining an understanding of how systems are working together. 'Very often this only provides limited insight,' says Koning. 'Once you have this understanding, we can also continue the investigation by using our Security scan & asset inventory? For example, with passive security monitoring. Security monitoring shows the assets on the network. It shows how they communicate, but it particularly provides insight into the risks and vulnerabilities.'

Cybersecurity as a growth opportunity

One of the key lessons? 'You have to look at cybersecurity as a business enabler, not just as an expensive generic solution for all sorts of problems,' says Koning. 'By taking these kinds of steps, you are guaranteeing the continuity of your production environment, so to speak. You obtain a new kind of insight into all your assets and your processes. How do they communicate with each other? How do all the processes run? And are they all running optimally?

You can also get a better grip on your lifecycle management, says Koning. 'Because you get to know which assets you have and their status. Are they end-of-life, are they end-of-sales, are they still supported? This can also help with your future investment plan.'

Where can you introduce innovation? For instance, can you combine cybersecurity with digitalisation projects? Adopt a broader approach and you’ll also get better buy-in from your organisation. Because cybersecurity is and often remains a sensitive and charged topic and it’s always expensive, but above all, try to see it as an opportunity.'

Start today, think in years

'You also need to realise that it will take the next four to six years to get everything in order. So if you start after two years, you will be eight years down the line before your security is in order. Start today by creating initial insight step by step, but do make considered choices. Don't just start by investing a lot in just firewall solutions or antivirus solutions, when your real risks could be in another area.'

The foundation for effective OT cybersecurity lies in insight and understanding of the specific environment and risks. 'If you don't know your architecture, your risks or your assets, you can't determine what needs to be controlled. This insight and understanding is an absolute requirement for targeted investments that make a substantial contribution to an organisation’s cyber resilience and business continuity.'