Why Include OT in Your Security Operations Center?
In the first part of our series, we discussed the important steps to gain asset visibility and anomaly detection using AI and machine learning.
In this article, we will discuss the importance of integrating OT into your security operations center (SOC) and why it is no longer optional for industrial and critical infrastructure organizations.
Cyber Risk to Operational Technology on the Rise
In the past, industrial systems were not considered high risk because they were isolated and not connected to corporate systems or the internet. They were securely protected through obscurity and thought to be of no interest to cyber attackers.
Today’s reality is very different. Industrial cyber risk is now much higher thanks to the following:
- Increased connectivity and data sharing between IT and industrial systems
- Heightened geopolitical tensions since the pandemic
- Transition to cloud-based applications and analytics
- Increasing complexity of attacks and threat actors
According to Gartner, “to reduce risk, security and risk management, leaders should eliminate IT and OT silos by creating a single digital security and risk management function. This function should report to IT but be responsible for all IT and OT security.”
Why OT Should be Included in an Enterprise-Level SOC?
There are many advantages to incorporating OT into an enterprise-level SOC. For example, companies can
- Stop threats faster by identifying them early in the cyber “kill chain”. These threats usually originate from IT systems.
- Reduce response times by improving communication between IT and OT teams.
- Reduce costs through one comprehensive SOC instead of multiple different SOCs.
- Address the skills gap by leveraging the team’s strengths. Rather than training OT staff on IT cybersecurity, it is often easier to close the skills gap by training IT resources on OT sensitivities.
The US Government has begun to address some of these points through the Continuous Diagnostics and Mitigation (CDM) program led by the Cybersecurity and Infrastructure Security Agency (CISA). This program not only provides helpful resources, but demonstrates that it is possible to successfully integrate OT into a SOC and launch enterprise-wide cybersecurity initiatives.
In addition to implementing a continuous diagnosis and mitigation program (CDM), there are a number of best practices that organizations can implement to better unify IT and OT. Here are some suggestions:
- Compliance-focused initiatives such as SIEM architecture and capacity review and regulatory and compliance alignment
- Assessments such as cyber defense readiness, technical and executive tabletop exercises, and cyber range/simulation exercises
- Capability-oriented planning, such as cyber threat capability growth
- Cyber response programs such as malware analysis training, OT skills development for IT cybersecurity teams, and IT cyber knowledge sharing with OT teams.
- Initiatives like this can identify strengths and opportunities for improvement and provide a roadmap towards becoming a more resilient, cybersecure organization.
In part 1, we will discuss how asset visibility can significantly improve operational efficiency and support preventive maintenance.
For our OT Security solutions: email@example.com