Q&A on Cyber Resiliency for Operational Technology
As recent cyberattacks have demonstrated increased risk to both IT and operational technology (OT) environments, resilience readiness today has evolved. It is more than a cybersecurity strategy and involves the enforcement of rules and policies that provide the visibility, control, and situational awareness to respond at the speed of business while ensuring that safety and reliability are maintained.
Fortinet’s CISO for Operational Technology, Willi Nelson, shares perspective on considerations when developing cyber resilience, covering fundamentals and strategic planning, to protect the convergence of IT and OT environments.
What does cyber readiness look like today for OT organizations?
Willi: In light of recent events spanning the last three to five years, there has been an uptake in readiness and awareness within the industry. From pipelines, to pharma and transportation, boards are becoming involved in that discussion, which turns the readiness discussion away from just, “Are we prepared?” to now reporting on it. For example, some organizations have a dedicated individual that is working specifically on readiness across the organization. They are responsible for understanding whether threats are real and/or critical, but also what they should be doing and who they should call.
In your opinion, what does cybersecurity mean to most organizations in OT?
Willi: It’s all about awareness. The leadership, including boards and executives, are starting to have more awareness of their manufacturing facilities and operations. Security is becoming everyone’s problem. I think from an OT perspective, it’s back to partnering with your operation centers so they know what threats are real and what’s not. Automation engineers are extremely smart and very capable, but typically, operation centers don’t communicate with them. It is crucial that communication opens up between automation engineers and operators to determine appropriate response. To some extent, it’s people, process, and technology, which goes back to fundamentals. We have to communicate and understand what is being dealt with. For example, if I do X, how does that impact the business? The process has to be dynamic. As threats change, your response plans are going to change as well.
How can an organization gain more control and mitigate risks?
Willi: From an inventory perspective, it starts with knowing what assets your organization currently has. Without visibility into your current assets, you can’t know what your inherited vulnerabilities are for example. If you have an asset that has never been patched, and it’s not on your list of current assets, you’re never going to get to it. When dealing with new vulnerabilities, you should ideally have visibility into all of it. You should be aligned with the business and operations, your architecture and engineering teams should be talking, and you should be partnered with security vendors. Once you’ve achieved this, you have progress.
What does success look like in your opinion, relating to business continuity plans?
- First and foremost, partner with the business. You need to know what the impact is to the business, and if you are willing to take that risk.
- Then, going back to the fundamentals of communication, it’s important to make sure your teams, small or large, are functional. These players need to be prepared.
- Lastly, one you have a workflow, you need to be dynamic and able to adapt when necessary. You need to understand that threats are going to change, and will come from a direction you aren’t prepared for– that’s the nature of the business. “Train the way you fight, fight the way you train.” Everybody needs to be ready to help each other.
This article was written by Willi Nelson, CISO for Operational Technology and originally it was published here. Willi joined Fortinet as the CISO for Operational Technology in August 2022. He brings more than 25 years of experience in Information Security working across industry verticals such as Healthcare, Telecom, Financials, Manufacturing, and Life Sciences. Most recently with GlaxoSmithKline (GSK), he established and directed the Global OT Infrastructure Security team charged with monitoring and protecting the OT assets for GSK. Globally.