During this Geek Street roundtable discussion on the second day of InfoSecurity Europe 2022, Nigel Stanley, director of cybersecurity at Jacobs, and other security leaders discussed how to manage operational technology (OT) system risks, create incident management processes and employ risk transfer solutions to better protect critical infrastructure sectors.
Stanley began with a basic definition of what OT consists of in practice, which was articulated as “computers that control or monitor physical things.” This was followed by a look into the current trends driving cyber-risks. Stanley believes that organizations are facing a “perfect storm,” consisting of three things: an increase in attack surface area, increasingly “motivated, sophisticated and increasingly destructive” adversaries who are going after OT systems and multiple organizations that have little visibility into their OT risk nor a sufficient understanding of their OT assets.
The discussion then focused on the impact of OT on business risk, with Stanley stressing the importance of building OT networks that interface effectively with IT and outlining the need for good network segmentation and a DMZ. The emphasis of the conversation then shifted to the need for effective recruitment of personnel with relevant expertise, a challenging endeavor, especially recruiting individuals who have an intuitive understanding of both the OT and IT worlds.
Towards the end of the session, the roundtable centered around the significant issues with measuring OT risk and the need to address this holistically, with considerations of how best to combine quantitative and qualitative methodologies to provide a complete picture when assessing and understanding OT risk.
The main point of agreement in the session came when discussing best practices for raising awareness of OT risk, with the audience agreeing that organizations need an “inclusive mechanism of understanding OT” from the “bottom-up.” The primary mechanism suggested was the “power of story,” which could help articulate the full extent of OT system risks in an effective and captivating way. The room believed this could help significantly in educating personnel and businesses and that this approach could also be strengthened by including prominent OT security incidents, illuminating the need for a robust OT cyber incident response process through narrative to avoid reputational damage, manufacturing loss, share value loss and any impact on the local community.