Is What We’re Doing Working?

There is movement toward demonstrating whether OT cybersecurity efforts are actually working, i.e., saving money and increasing productivity.

By Jacob Chapman, Nozomi Networks

Throughout the past decade, some things in the OT cybersecurity industry have not changed or, at least, changed very little. A small percentage of asset owners has detection tools deployed at scale, despite it being an established product market. Systems remain inherently vulnerable, asset owners continue to struggle to maintain OT cybersecurity talent, and comprehensive risk-management programs are very rare.

What has changed is recognition of the risk, mindshare amongst organization leaders, and regulations that are beginning to include punitive remedies such as legal and financial penalties under certain conditions. Recent examples of the latter include the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), that drove the requirement for covered entities to report cybersecurity incidents, and Transportation Security Administration (TSA) directives that place requirements for network segmentation, access controls, monitoring and detection, and patching across transportation entities such as airports and railways.

These shifts are driving formal responsibility and accountability toward CISOs, as well as prioritizing a focus on business risk (vs. technical mindsets) amongst the CISO population. The question increasingly asked is, “For my OT cybersecurity investments, can I demonstrate the business outcomes it achieved?”

That question has been notoriously difficult to answer. Even insurance providers, the actuarial masters of the universe with ostensibly the greatest amount of OT cybersecurity incident data on hand, have struggled to quantify the risk for one simple reason: the numbers are too volatile. For practitioners, service providers, and vendors, this poses a challenge and an opportunity. While it is difficult to answer, those who can will certainly earn the attention (and the dollars) of CISOs.

For the industry to prove business outcomes, data sourced from providers and users is needed, along with tracking of that data, before and after solutions are implemented. Projects to address this challenge exist and are in the works. One example is the Emerging Threat Open Sharing project (ETHOS), formed by a collection of organizations with a goal of making an open-source platform available for real-time, anonymous-threat information sharing. As an example, the ETHOS platform would allow organizations to be alerted when a security threat occurs at another participating organization, without disclosing any sensitive data about the source, and would be available to organizations regardless of what technologies they do and don’t have. 

While information sharing such as (but not only) ETHOS would be an important step toward knowing “is what we’re doing even working,” it would also drive progress forward in many other areas. Further, impact data is what will evolve leading OT cybersecurity standards, such as ISA/IEC’s 62443 series of standards.

Ultimately, the shift in mindset toward business outcomes is timely, and needed. It will drive demand for data that we must have. It will promote collaboration between governmental and commercial entities,  even competitors, and steer users and providers toward solutions that make a real impact. EP

Jacob Chapman is Director, BD & Alliances, at Nozomi Networks, San Francisco (nozominetworks.com), where he leads the organization’s partnerships with strategic OT OEMs and technology vendors. He also serves as an advisory board member to ISA’s Global Cybersecurity Alliance.