Putting together the latest Industrial Cybersecurity Services Buyers’ Guide was both intensive and exciting. Overall, there were about 30 interactions in a little over three weeks with end-users, service providers, and industry colleagues, who provided key insights into the challenges faced by industrial companies. These entities have pursued to protect their institutions from cyberattack, without deteriorating their ability to innovate and extract value from technology investments.
There is no doubt that those working to safeguard industrial companies are facing several challenges. Doing more with less was a common theme across many discussions. While some companies have a fairly mature industrial cybersecurity program, other vendors may still be struggling with getting buy-in from relevant stakeholders. Companies who have already done the hard yards with a mature program in place are well-positioned to deal with the “new normal.”
The OT (operational technology) cyber lead at one of the pharmaceutical companies that developed a COVID-19 vaccine told me that they have a well-oiled program designed to be completely operated and managed remotely, making the working of the company pretty much COVID-proof. In fact, the OT cyber lead was proud of the fact that they had successfully managed cybersecurity lately, without having to step on to the plant floor in the last nine months.
Other industrial companies are, however, not so far along the road. The concept of industrial cybersecurity as a journey became more apparent with every discussion, as every company identified itself at different points of the trip. The key takeaway is that people in OT, tasked with planning and rolling out the next stage, should identify exactly where they are and what the next attainable steps are.
Service providers and vendors would also do well to work with their customers, help them get to the next stage, and not overstretch on services that are best saved for later.
Looking too far over the horizon, trying to take on too much can be an early cause for disillusionment or disbelief, which can stop a project in its track before it even gets off the ground. Selling a mega-plan to management, along with an exorbitant price tag, may also not be the best strategy.
Particularly these days, when every dollar that goes into industrial cybersecurity is (rightly so) weighed off against its alternatives, it is vital to present a clear business case for every project and limit the scope to something both attainable and quantifiable, not just in dollar terms I should add.
Projects should be prioritized by what actually needs to be done in order to move cybersecurity to the next stage as determined by a well-defined maturity program. While there are many factors that will impact on how companies are managing to cope with the new reality, the approach and mindset is the key to success. This is another area where many industrial companies can use some assistance.
As companies focus on their core, whether that be pharmaceuticals, manufacturing, energy distribution or chemical refining, the teams that own and run the OT and industrial cybersecurity in those companies will be pressed to deliver more with less available resources.
The challenge faced by the industrial community is that irrespective of where they are in the cybersecurity cycle, either starting out or well underway, there are a myriad of services offerings available to assist. Security risk audits and vulnerability assessments are often key to getting a complete picture of the current maturity level and establishing a starting point for aligning the stakeholders in any program, including OT, IT, risk, and management operations. As always, the focus is on people, processes and technology.
Determining which standards to adopt and the ideal strategy for creating an enterprise-wide industrial cybersecurity program that is applicable to all system lifecycle phases is a major task. Whether the industrial organization needs help in segmenting their product network, or creating a cybersecurity awareness training program, or running tabletop exercises, these are not necessarily skills that they may find within the organization.
In case an industrial organization needs help in getting started, or to bring in a project expert along the way, or are on the look-out for a complete managed service. Our recently published Industrial Cybersecurity Services Buyers’ Guide is intended to folks at Industrial companies find their path. Its aim is to give a clear and concise picture of the many services available and the companies that provide them to help secure industrial environment.
The guide also covers the scope of offerings from each service provider across several service categories. It does not endeavor to paint a complete picture or strategy, but is intended to help purchasers, suppliers, and users of OT to better appreciate the gamut of cybersecurity solutions and tactics being addressed by vendors today.