Cybersecurity for Operational Technology systems | Cyber Risk | Risk Advisory | Deloitte Netherlands

Article

Cybersecurity for Operational Technology systems paramount to maintain trust by consumers and governments

Getting an understanding and the right board level support to invest in Industrial Control Systems security was the theme of Deloitte’s Security round table (May 27, 2019). Our theme led to a very energized discussion where participants shared successes and challenges as they discover this specialized field. Continue reading to learn more on our discussions on the new NIS legislation, vendor management, target operating models and incident response. Are we in a good shape with our operational security, or just lucky that not many more major incidents occurred?

By Taede Rakhorst & Jeroen Slobbe | July 17, 2019

Deloitte helps many clients reduce and manage their cyber risk related to Operational Technology (OT) and industrial control systems (ICS). OT security impacts many industries. From hospitals, to companies in the oil and gas industry, and from chemical plants to distribution centers. Although these companies deal with different kinds of control systems, the challenges they face have many similarities.

We organized another round table on OT Security to connect our clients around this emerging business topic. Program directors, CISOs, security specialists, factory directors and other OT professionals meetup to share their experiences and perspective on recent developments. Our participants fed back that they were happy to meet so many of their peers and could openly share information amongst with the wider audience. On the other hand side, we saw that many eyes were opened on the challenges lying in front of our society to secure the operational technology that keeps our economy running and in some cases keeps us alive!

Incident response

During the session we discussed the applicability of the new NIS legislation towards our participant companies and shared experiences on incident response. Our participants shared many questions they were faced with. What are the similarities with IT incident response, how to ensure a safe shutdown and how to prioritize restoring operations? How do you test your OT incident response approach and how to manage your vendors during an incident? Who’s the first one to call if an incident occurs? Who’s in control: the factory director or the security specialist? And how do you practice handling incidents? Some attendees recently had an incident and shared their experiences. Recent OT incidents have highlighted that using regular (IT) response procedures is not always fit for purpose in the OT environment. Since some organizations felt they are just lucky noting bad happened before, we strongly recommend to up the game on OT security but also start strategizing your response in case of an incident.

Vendor management

There also was an interesting discussion about vendor management and security. Since our group included OEMs as well as end users it surfaced the typical procurement challenge. Do customers pay a premium for secure solutions or will they pay for it later on (as end users still need to increase security to protect their assets)? Whose responsibility is it to make sure security updates are included as part of a the standard warrantee? The buyer, the vendor or should the government step in to make it mandatory? In this case the marked has the option to regulate itself or be regulated in the long game. We strongly recommend to start the cyber security discussion at the procurement phase of any new connected solution or strategic delivery partnership.

An holistic approach to OT security

As you can see, we surfaced that OT Security is a very multifaceted topic which needs several parts of the enterprise to do their part. The common challenge which our participants seemed to share was how to mobilize their management’s buy in and ensure companies organize their OT Security (an integrated IT/OT Operating Model). There are no silver bullets. Models that where successful at one organization are not guaranteed to work elsewhere. In our view the right organization has to do with the type of conversation you have with the right people and the right (engineering) language. In that sense, defining the governance for the security of operational technology remains a journey that is different for each organization and industry.

The discussions highlighted that OT security is an emerging area. Although initially perceived as just extending IT Security into OT, most organization find out it takes much more than this. Gaining value from new (internet) connectivity in operational environment is only possible if you approach the Control System from a business perspective, factoring in security as part of this discussion. It starts with a common business view of OT cyber risk and achieving the right ownership. Once people understand and own this risk companies can start to move forward with aspects such as agreeing risk based cyber security measures, defining (risk management) practices, building supporting IT Security capabilities for the sites and driving organizational awareness and accountability.

More information

Do you also want to attend one of our ICS roundtables? Or do you want to know more about our Operational Technology transformation? Please reach out to Taede Rakhorst or Jeroen Slobbe.

Did you find this useful?