Seven tips to improve operational technology cybersecurity

OT (operational technology) cybersecurity is competing with all other company priorities in terms of funding and backing, and too often leadership teams lack deep technical expertise. From the OT cybersecurity executive sponsor’s view within an organization, a significant challenge is weeding through technical detail to determine the criticality or importance of a technology investment.

From the operations leader perspective, using a framework or model to communicate needs and actions can help streamline funding decisions, as well as clearly map the ups and downs prominent in any risk management endeavor. Visualizing OT cybersecurity as an ongoing practice or cycle of efforts may best represent the nature of protecting operational systems, people, and processes. This same view can help prioritize OT team actions and consider how much effort to invest in OT cybersecurity prevention, for example, compared to response activities.

Similarly, portraying the organization’s maturity level of cybersecurity can help pinpoint gaps, as well as guide programs and governance efforts to progressively improve OT cybersecurity. Another approach to simplify a shared understanding of OT cybersecurity needs is to categorize technical steps within a defined set of controls, using common language as descriptors, such as “Inventory and Control of Hardware Assets.” Viewing the full set of controls, and the organization’s progress aligned to these categories, can streamline joint efforts to manage OT risks.

Select examples of frameworks include NIST Cybersecurity Framework and Center for Internet Security — Controls.

Despite recent training and education regarding the need for OT cybersecurity and the impact of ongoing ICS (industrial control system) threats, industry still lacks some of the fundamental safeguards relative to the level of threat. At the most basic level:

• Understand which systems are critical to operations and inventory them;
• Across these critical systems, know their OS specifics and what protocols are “normal” for the system’s vintage;
• Check that these systems have been hardened and do not, for example, still use the default passwords initially delivered with the solution; and,
• Walk through your facility to ensure these systems do not show passwords on sticky notes or paper nearby – experts note that this is unfortunately a common, basic cybersecurity issue that can also trigger regulatory non-compliance.

Download the complete white paper from Honeywell, 7 Tips To Improve OT Cybersecurity, click here.