In recent times, the number of cybersecurity-related incidents occurring around industrial systems and operational technology has been rising – with well-publicized reports of malware and threat actors causing critical disruptions of systems. Industrial Cybersecurity is therefore emerging as the frontline defense to address these threats.However, in discussing risks and vulnerabilities, it is important to understand how IT security differs from OT security. Information technology in corporate organizations is structured to ensure that data confidentiality is maintained, with measures in place to protect its integrity and associated availability.
The risk profile of OT and Industrial control systems requires a different attitude when dealing with them, mainly because the lifetime of OT systems can often be significantly more than corporate IT systems and focus on the safety and reliability of operations.
We contacted Mr. Urmez Daver, our Global Head for Industrial Cybersecurity in Digital Transformation & Cybersecurity, to give us his take on some of the key challenges in this field, and some of the goals to work towards.
Key challenges in OT Security
In present times, the advent of new technology and geo-political tensions have fundamentally changed the risks of failing to safeguard OT, especially systems used to monitor safety. The Triton malware attack in 2017 was a clear indication that cyberattackers are now also targeting safety-critical systems, further proving the mythical ‘air gap’.
Assuming a future attack has the capacity to cause damage and disrupt an important economic asset, the pressure on private enterprises and governments for change will be untold. In the past, such disruptions were seen as something for individual companies to worry about, when in nature, they have the potential to disrupt whole sectors, economies, or political systems.
At this juncture, it is critical to point out that many OT systems have been in place for decades, and have only just received enough care and maintenance to keep them operational on a day-to-day basis. Even with newer smart cyber-physical or OT systems being introduced, they may fail to address the associated security challenges of a hyper-connected initiative like Industry 4.0. Industrial Cybersecurity needs to mature at a much more accelerated pace than Enterprise Cybersecurity to better manage risks that organizations face around managing their Operational Technology.
The importance of OT risk assessments
There are five main reasons to improve your cybersecurity posture for industrial and OT systems.
> there is a regulatory/legal requirement to understand and manage cybersecurity risk as you operate in a safety critical industry
> if you are a product engineering firm, there is immense value in building safety, security and privacy by design into a product or better still, engineering it into the product development life-cycle
> government agencies are concerned about how cybersecurity issues can impact national infrastructure and has been viewed as a significant threat globally
> customers/clients are demanding that their intellectual property and process information is protected on your industrial network
> uninterrupted safe and reliable operations are critical for organization
Besides the regulatory landscape which is still emerging, organizations need to understand these risks fundamentally, in order to conduct a combined engineering and business review using an appropriate framework.
Why work with TÜV Rheinland to improve your Industrial Cybersecurity posture
Our deep understanding of the markets we serve, coupled with our unmatched depth of experience in solving complex safety, security, data privacy, and infrastructure challenges, makes us a credible partner for this cause.
OT systems must be protected using a combination of policies and procedures, technical controls, user education, and supporting processes – all of which are attainable with our comprehensive portfolio.
For more information, or to contact one of our experts, click below:
Urmez Daver is the Global Head for Industrial Cybersecurity Centre of Excellence at TÜV Rheinland and is also the Vice President for Cybersecurity Consulting services in Asia. He has more than 20 years of experience driving cybersecurity services business across different geographies. Over the past 2 decades he has witnessed the transformation of the cybersecurity landscape through the lens of his career starting with Digital Trust through PKI, Data Protection, First Generation of IT Security tools and services and an era which followed where the disciplines of Security Strategy, Architecture, Governance, Security Operations and Intelligence started becoming critical components to developing and managing a cybersecurity program for the enterprise. Currently is focused on the area of Industrial Cybersecurity driven by rapid digitalisation and convergence of emerging technologies, IoT, IIoT and embedded systems.