Why You Should Incorporate OT in Your Security Operations Center

Why You Should Incorporate OT in Your Security Operations Center

Welcome to part two in my blog series on operational technology (OT) digital transformation (you can read Part 1 here).

In my last post, I covered the important steps of gaining asset visibility and anomaly detection through the use of AI and machine learning.

In this article, I discuss the importance of integrating OT into your security operations centre (SOC), and why this is no longer optional for industrial and critical infrastructure organizations.

Cyber Risk to Operational Technology is Increasing

In the past, industrial systems weren’t considered high risk because they were isolated and without connectivity to enterprise systems or the internet. They were securely protected through obscurity and considered to be of low interest to cyber attackers.

Today’s reality is very different. Now, industrial cyber risk is much higher thanks to:

  • Increased exposure and data sharing between IT and industrial systems
  • Geopolitical tensions, which have increased since the pandemic
  • The transition to cloud-based applications and analytics
  • Increased sophistication of attacks and threat actors

According to Gartner, “to reduce risk, security, and risk management leaders should eliminate IT and OT silos by creating a single digital security and risk management function. This function should report into IT but should have responsibility for all IT and OT security.” I couldn’t agree more.

Why OT Needs to Be Included in an Enterprise-Level SOC

There are multiple benefits of including OT in an enterprise-level SOC. For example, companies can:

  • Stop threats faster by identifying them in early stages of the cyber ‘kill chain’. These threats often originate in IT systems.
  • Reduce response times by improving communication between IT and OT teams.
  • Lower costs via one comprehensive SOC, instead of multiple, disparate SOCs.
  • Address the talent shortage by leveraging team strengths. It’s typically easier to close the skills gap by training IT resources on OT sensitivities, rather than training OT staff on IT cybersecurity.

The U.S. Government has begun to address some of these points – through its Continuous Diagnostics and Mitigation (CDM) program, led by the Cybersecurity and Infrastructure Security Agency (CISA). This program not only provides helpful resources, it shows that it’s possible to successfully integrate OT into a SOC and rollout enterprise-wide cybersecurity initiatives.

Aside from implementing a continuous diagnostics and mitigation program (CDM), there are a number of best practices organizations can implement to better unify IT and OT. Here are some suggestions:

  • Compliance-led initiatives such as SIEM architecture and capacity review, and regulatory and compliance alignment
  • Assessments such as cyber defence readiness, technical and executive tabletop exercises, and cyber range / simulation exercises
  • Intel-driven planning such as cyber threat intel capability uplift
  • Cyber response programs such as malware analysis training, OT skills uplift for IT cybersecurity teams, and IT cyber knowledge sharing with OT teams.

Initiatives like these can identify strengths and opportunities for improvement, and provide a roadmap to becoming a more resilient, cyber secure organization.

In part 3, I’ll cover how asset visibility can significantly enhance operational efficiency and support preventative maintenance, so don’t miss my next blog.