Security

Maximizing OT Security and Resiliency Through a Risk-Based Framework

Derek Dunkel-JahanTigh
June 23, 2022
6 min read

The past 18 months have seen a significant increase in threats targeting critical infrastructure and operational technology (OT) networks. These environments are prime targets due to their age, complexity and importance to organizations. OT is the driver behind the largest corporations in the world – whether it is mixing the secret recipe for Coca-Cola, generating power for millions of customers, or producing lifesaving medication for millions of patients. For large corporations, a disruption in the OT network can easily cause millions of dollars of lost revenue per hour. It’s no wonder companies like JBS Foods, Colonial Pipeline and Brenntag paid a combined $19.8 million in ransomware payments to regain access to their OT networks and restart production. These are just three examples readily available in the public domain, with general agreement among security professionals that the amount not publicly disclosed is likely staggering. These surely include multi-million-dollar breaches and ransomware payments that have not been publicized.

Given the potential for lost revenue, harmed reputation and regulatory fines – companies are scrambling to find ways they can easily secure their OT security programs at scale. The natural desire is to find the fastest, most efficient and effective way to achieve “security.” This desire for a “silver bullet” is further complicated for multi-national global organizations that have vastly different OT network architectures, varying technology stacks, an abundance of opportunities for shadow IT, limited OT network visibility, and dozens of primary languages, cultures and politics to navigate. Any attempt to measure the residual risk of an OT Program for a cyber insurance provider or board of directors sounds like a monumental task. Further, where does one even begin to prioritize risks and compare locations against each other to identify trends and share best practices? In this blog post, we will identify a proven four-step approach for large, complex organizations to begin measuring their OT Security Risks across multiple sites.

Step 1 – Define the risk management framework

A risk management framework (RMF) allows organizations to use a risk-based approach to review business values and risk tolerances to create processes that integrate security controls into an organization’s OT sites and networks. This risk framework should align with the OT Security policy. This framework should define risk indicators for a site and have security control requirements that are scaled by the relative risk of the site. Work with counterparts to understand how business value is defined for production sites – Is Site One a critical path in the supply chain to produce materials at other sites? Does Site Two have a proprietary formula that must be protected at all costs, whereas Site Three has processes that are publicly known? Does Site Three have delivery contracts where the company must provide all the product or be financially responsible for the entire shipment? Additional indicators of risks impacting business risk calculations could be business value, supply chain impact, the connectedness of site equipment, geography, the product manufactured, revenue, and regulatory considerations. Each company is unique and may have confidentiality, integrity and availability constraints that differ wildly across the sites. Securing buy-in from senior stakeholders at the outset is paramount to acquiring resources, funding, and support for enhancing the resiliency and safety of OT sites.

Step 2 – Outline the control set

Define OT security controls to measure sites against industry risks, external frameworks, best practices and the ability for the program to execute. Given the delta between an organization’s readiness to implement and the risk profile of OT security sites, it is highly recommended to have a consistent baseline of controls that map to industry standards (i.e., IEC 62443, NIST 800-82, TSA Security Directive 2) and levels of required controls based upon the regulatory and risk landscape of the OT sites. For example, the highest revenue-producing site where availability is the top concern should have higher requirements for resiliency, redundancy of hardware and backups in place. Selecting OT security controls is an important process that balances the need to secure critical organizational assets while avoiding adverse impacts to operations or the health and safety of personnel on-site. OT security controls should be defined in an organizational OT security policy and allow flexibility to meet the needs of OT sites that have different threat profiles. There should be a process to handle policy exceptions with considerations for technical feasibility issues, where the technology cannot meet a control and the focus needs to be on mitigating controls to reduce risk.

Step 3 – Measuring site-level maturity

Measure compliance of OT sites against defined controls and prioritize residual risk based upon the likelihood of compromise and impact on the organization’s operations (leveraging the risk framework from Step One) considering the mitigations in place. Organizations need to develop a repeatable process for gathering risk information and measuring results. It is recommended to use a consistent set of questions to assess OT sites against a common set of controls that maps back to an industry standard. Over the past 5 years, we have seen greater adoption of the NIST CSF Framework, since it is helpful in communicating the results of maturity across multiple sites in a concise manner and leverages a consistent set of controls. One of the most difficult challenges with managing risks across multiple OT sites is prioritizing resources to efficiently reduce organizational risk and gathering funding to address the issues. Maturity comparisons of site-level security across risk characteristics like geography, product and revenue can help drive remediation activities.

Step 4 – Socialize results

Socialize OT security metrics in an impactful manner to gather support on resourcing and remediation of residual program risks. When discussing OT security risks with executives, highlight the potentially unfavorable business outcomes that may arise from residual risks (financial loss, health and safety impacts, reputational harm). PowerBI Dashboards, like the one below, can be a great visual aid for gathering buy-in from top organizational leaders to secure funding while ensuring OT sites meet baseline expectations. We have multiple clients in complex organizations that have seen tremendous benefits in adoption of security processes and reduction of risk when they leverage site-specific metrics to foster a healthy competition between business unit VPs.

Managing OT security risk at scale is challenging for many organizations. The key is to appropriately identify risk and align resources to reduce organizational risks, that could impact the health and safety of personnel on-site. Protiviti’s phased approach is proven to align internal stakeholders on an approach to measure and prioritize risks, while also gathering the needed support funding and resources to mitigate risks, while improving the resiliency of your OT program.

To learn more about our security consulting services, contact us.

Derek Dunkel-JahanTigh

Associate Director
Security and Privacy

View all posts

You may also like

Subscribe to Topics

Protiviti Technology Follow

Protiviti leverages emerging technologies to innovate, while helping organizations transform and succeed by focusing on business value.

ProtivitiTech
protivititech Protiviti Technology @protivititech ·
25 Jul

Protiviti’s @KonstantHacker chats with guest @RichardBlech of @XsocCorp about a high-performance symmetric encryption solution that will provide in-depth defense against the threat of fault-tolerant #QuantumComputing. Listen now: https://ow.ly/9oVU50SJklj #ProtivitiTech

Reply on Twitter 1816504643360358712 Retweet on Twitter 1816504643360358712 1 Like on Twitter 1816504643360358712 1 Twitter 1816504643360358712
protivititech Protiviti Technology @protivititech ·
25 Jul

Protiviti’s Joe Corrado will join a #Nintex panel for a July 30 webinar to discuss how document automation boosts #RevOps efficiency and sales. Register today to get access to expert tips and real-world success stories. https://ow.ly/LSsf50SJnaY #ProtivitiTech

Reply on Twitter 1816443898970898615 Retweet on Twitter 1816443898970898615 Like on Twitter 1816443898970898615 Twitter 1816443898970898615
protivititech Protiviti Technology @protivititech ·
24 Jul

The world was dealt a massive wakeup call after a #CrowdStrike software update caused global IT outages. In the aftermath, business leaders should take the opportunity to reboot tech resiliency. Learn more from the latest #VISIONbyProtiviti: In Focus: https://ow.ly/R2vU50SJrAT

Reply on Twitter 1816169832544432319 Retweet on Twitter 1816169832544432319 Like on Twitter 1816169832544432319 Twitter 1816169832544432319
protivititech Protiviti Technology @protivititech ·
24 Jul

#VISIONbyProtiviti: In Focus discusses a U.S. judge’s recent ruling that rejected #SEC oversight of #cybersecurity controls in the case against SolarWinds, the impact of the decision, and why it matters. https://ow.ly/Ph7j50SIbLH #ProtivitiTech

Reply on Twitter 1816111993767547294 Retweet on Twitter 1816111993767547294 Like on Twitter 1816111993767547294 Twitter 1816111993767547294
protivititech Protiviti Technology @protivititech ·
17 Jul

How can organizations tackle internal tech tickets when a team is remote? Protiviti’s Kim Bozzella recommends fully leveraging the features of their #IT service management software. Learn more: https://ow.ly/Yf3J50SEy7u #ProtivitiTech #Forbes

Reply on Twitter 1813635582964183412 Retweet on Twitter 1813635582964183412 Like on Twitter 1813635582964183412 Twitter 1813635582964183412
Load More