Navigating the path to success: A step-by-step guide to OT security implementation

Guest blog by Tony Burton, Managing Director Cyber Digital Solutions at Thales UK #techUKOTSecurity

The world around us is increasingly complex and interconnected and whilst enormous operational efficiency and effectiveness can be achieved through deployment of these complex ecosystems, unfortunately the threat from cyber security attacks is also growing in frequency, complexity and impact. The UKs Critical National Infrastructure and many other essential services are no exception to this resilience, complexity and efficiency conundrum and the Operational Technology (OT) that sits at the heart of these complex ecosystems is increasingly vulnerable to the cyber threat from nation state actors through to lone attackers with malicious or criminal intent.

The attack surface and undefinable boundaries of these interconnected and interdependent OT implementations coupled with the sheer volume of cyber threats and actors means that the agenda for CISOs and CIOs has clearly moved to one that addresses the cyber resilience of the business and the OT that supports it. This resilience based approach reflects the need to understand the threat in the context of the business, plan and implement mitigation measures to reduce risk to an acceptable level, maintain a response and recovery capability for when things are inevitably tested and then to continue to build and optimise the cyber resilience as an ongoing activity.

At Thales, we work closely with many organisations that have these resilience needs with some that require the most stringent security and resilience measures where there is a risk to life or potential national economic impact.

Over many years, we have developed extensive expertise and a comprehensive portfolio of cyber security solutions, working closely with customers to safeguard critical infrastructure, shield sensitive data, and mitigate cyber risks across a variety of industry sectors.

In this short article, we have drawn on that experience to share our step-by-step guide to successful implementation of Operation Technology (OT) security. Consider it a journey, with four interlinked stages - Aware, Enact, Vigilant and Resilient.

Aware

The first step in this journey is to build awareness of the risks, threats, and compliance landscape. This starts with a comprehensive evaluation of the operational technology (OT) equipment in use, understanding the existing controls and governance, and determining the regulatory requirements that must be met.

Sounds simple but it’s not uncommon to encounter challenges at this early stage. Typical issues we come across include organisations being unaware of what devices are connected to their networks, lack of processes for adding devices or keeping them updated, and a lack of understanding of how to comply with regulations.

Enact

Armed with an understanding of the risks, organisations can move on to the development of business cases and action plans to address their deficiencies. An effective cyber security strategy serves as the foundation for this plan, with a level of protection that’s appropriate for the business risks. The strategy, in turn, guides the implementation process, which consists of three key pillars: technology, processes, and governance.

While the allure of advanced technology is often strong, we have found that successful OT security is built upon a strong foundation of process and governance – in fact technology often accounts for just 20% of the effort required.

Alarmingly, reports indicate a staggering 93% failure rate among industrial organisations in IoT/OT security projects. Many organisations who have experienced failed implementations have had a disproportionate focus was on technology, and inadequate processes, training and governance have led to security flaws. So how can we avoid this pitfall?

Clear and well-defined protocols play a crucial role. Organisations must establish processes for device installation, define access privileges to device configurations, establish procedures for configuration updates, and assign responsibility for software updates.

On the technology front, there are many options to consider, from implementation of access control mechanisms to network segmentation and certificate-based access to devices to name a few examples. Shockingly, only 18% of industrial organisations currently restrict network access and enforce multi-factor authentication on OT networks.

A final key ingredient for success lies in having a well-trained workforce that diligently follows established protocols and executes changes accurately. The vast majority of successful global cyber-attacks exploit social engineering tactics, such as phishing. So, robust training and awareness programmes play a vital role in ensuring the resilience of an organisation's cyber defences.

Once you have the right technology, processes and governance in place, it’s important to stay ahead of the game as threats are constantly evolving.

Vigilant

At this stage, the aim is to identify proactively threats in real-time, enabling rapid response and mitigation measures. Services such as Thales’ Managed Detection and Response (MDR) can be used to for round-the-clock monitoring of a company’s network and infrastructure while the Security Operations Center (SOC) acts as a command centre to analyse security events and respond swiftly.

Vigilant monitoring and analysis allows for prompt response and the implementation of appropriate countermeasures to mitigate the impact of any security incidents, safeguarding an organisation’s critical assets and maintaining business continuity.

Resilient

Organisations that have a mature OT security strategy are taking proactive measures to protect their assets from cyber-attacks. These measures include leveraging threat intelligence to seek out actively potential threats from the dark web and other sources, implementing deception techniques to confuse and divert hackers, and conducting active red/blue team testing of security controls to identify and address vulnerabilities before they can be exploited.

Using a cyber-range, such as Thales’ state-of-the-art facility at Ebbw Vale in Wales, enables the testing of existing and potential configurations, evaluation of security controls, and the running of training exercises to build resilience. Our utilities network cyber range, for example, provides a valuable resource for testing, training, and exercising on reference OT implementations to equip organisations with the necessary tools and knowledge to navigate the complex cyber landscape.

The path to mature cyber security solutions may be challenging, but with a commitment to continuous improvement and collaboration with trusted partners, organisations can navigate these complexities and emerge with a resilient and robust cyber strategy.

At Thales, we are always pushing the boundaries of OT cyber security to help build a safer and more secure digital future. Look at our website to find out more about our complete cyber security solutions.

Cyber Security Programme

The Cyber Security Programme provides a channel for our industry to engage with commercial and government partners to support growth in this vital sector, which underpins and enables all organisations. The programme brings together industry and government to overcome the joint challenges the sector faces and to pursue key opportunities to ensure the UK remains a leading cyber nation, including on issues such as the developing threat, bridging the skills gap and secure-by-design.

Learn more