Your priorities may include security, but chances are, your security efforts are not aligned to your real-world risk.
With new levels of Internet connectivity across your operational fleets, traditional IT security measures are not enough. Nor are perceived air gaps that once separated industrial machinery from knowledge worker network exploits.
As you allocate security budgets and provide direction to your leaders, ask the tough security questions:
- Is your organization prepared for an attack that disrupts operations?
- Have you done everything possible to protect human safety impacted by operational technology hacks?
- Are you complying with regulatory standards to harden your critical infrastructure and services?
Assuming one security department or budget category covers it all is a common mistake. In fact, distinguishing between Information Technology (IT) security and Operational Technology (OT) security is a simple step toward reducing risk of disruption and downtime.
First, understand that there is a difference between the two:
- IT security revolves around protecting data
- OT security revolves around protecting safety and ensuring production availability.
For example, you may have furnace temperature control readings that are sent to your SCADA system, helping your operators better tune and monitor production. That falls in the OT security category. Or your team may depend on third party contractors to perform physical maintenance on your offshore operational assets. This, too, requires different security than traditional infosec. In fact, the vast differences between the two worlds really calls for a different approach to OT security.
Once you recognize these basic differences, you can better align security strategies to levels of risk.
Second step, identify the different levels of risk that IT and OT address.
The past few years have made evident how compromises to IT systems can mean loss of data or damage to corporate brand, reputation, and profits – at least three major retailers had significant data breaches. In an OT environment, by contrast, such breaches would have had disastrous consequences. Changing or interfering with nuclear control systems, rail management systems, and other critical operational systems can impact human lives.
Don’t Wait to Take Action
Discerning these levels of IT-OT risk can help you lead your teams toward the highest levels of human and environmental safety. Start by assessing security weaknesses, ideally with an independent assessor, as the first step toward ensuring better protection of people, processes and technology.
Take a second look at your security priorities and strategies. Ask the right questions now to avoid serious consequences later.