The problem springs from a gradual convergence between IT and OT processes that started about 20 years ago. In those days, industrial control systems posed few cyber risks because they were mostly proprietary and isolated from the internet. However, since then the cybersecurity landscape has changed dramatically for industrial companies. As the connectivity of OT grew, both to IT and the external world, OT systems became subject to cyber-threats that were not even considered when they were designed – while a widespread expectation remained that the CISO would take the steps necessary to protect them.
For CISOs, the issue is compounded by the fact that exerting influence over what happens with OT isn’t always easy. In practical terms, OT is a totally different world from IT: the two areas of the business have different objectives, a different culture, and different personnel. Yet today’s CISOs have inherited the responsibility for maintaining cybersecurity in OT. Which means they will be accountable for the effects of any cybersecurity incidents that occur there.
that are interdependent and connected – but have limited visibility
Unfortunately, many CISOs are not in a strong position when it comes to ensuring the right steps are taken in OT from a cybersecurity standpoint. While they are empowered to prescribe, in many cases directly supported by the CEO, it’s almost always the OT leadership who have the final say on what can and cannot be implemented in their systems. The situation often plays out like this: the CISO issues a policy for OT security – and despite the policy being non-optional, the OT function pushes back. The result is an internal struggle between cybersecurity and operations in which OT has the upper hand, since nobody wants to risk the business’s operations being disrupted by a cybersecurity measure.
The effect? CISOs are accountable for risks they can’t control. The challenge is all the greater since IT/OT connectivity and the digitalisation of industrial plants under Industry X strategies, are increasingly pivotal in driving business performance. Having “intelligence everywhere” in operations boosts speed, efficiency and responsiveness, while having corporate applications able to access real-time data on OT helps companies control and progressively improve operational effectiveness. This requires connectivity across the traditional border between IT and OT. But alongside the benefits, IT/OT connectivity also raises the risk that an incident in IT – which is much more exposed to cyber threats – may jump to OT, where the potential impact is magnified by the resulting operational disruption.
At root, this isn’t only a technical issue: the technologies to protect OT are available. It’s actually a governance problem. And for many industrial companies in the region, this challenge is made more complex by their holding company structure, where cybersecurity is a central service but the implementation of security measures is left to the individual operating companies. So the responsibility for implementing any cybersecurity measures recommended by the CISO rests with the plant, and – it is important to note – is subject to constraints such industrial vendors’ views on the convenience of deploying them.
The effects can be disastrous
To visualize what all this can mean in practice, imagine this scenario. The CISO in an industrial company with operations across the Middle East has been diligent in issuing appropriate cybersecurity standards for OT, clearly defining the control measures that should be implemented. However, the company’s OT vendor pushes back against some of these controls and imposes restrictions to them. A workaround is then agreed by all parties, but it does not fully satisfy any of them.
It later emerges that the workaround was not valid, and an incident occurs. The cause? The workaround was a compromise solution agreed only after extensive and frank discussions. During those discussions, both parties tried to hold their positions without understanding the complete picture. With the two sides fighting instead of working together, the result was a solution that proved not to be effective in practice, all because of a failure to reach mutual understanding around compliance with a security requirement.
