Answering the Executive question. What Cyber-Physical Risk do we have to our business outcomes and objectives in the Enterprise and Operations?

In recent years, the buying committees of Enterprise Organizations that require Operational Technology Security solutions for cyber-physical systems have become more sophisticated. This is because operations security has become a priority concern for most if not all, organizations at the board level. Boards and executives have now acknowledged the importance of cross-functional and cross-domain collaboration to build effective OT security programs that mitigate risks and align with business objectives.

I believe this change is a direct result caused by technological decisions in the last several years that have not delivered on addressing risk. Many of these organizations have realized that deploying Visibility and Intrusion Detection Systems has caused disillusion among the teams who have selected them and operated them for several years.
The customer teams often felt that they were oversold and over-promised by vendors who positioned their products as addressing the security needs of OT holistically. The solution helped clients gain incomplete visibility to assets and added complexity to their networks by spanning traffic or use of taps that reduced operational resiliency while giving them a solution that documented vulnerabilities by the 1,000’s without providing a mitigation plan or solution to processes on how to patch vulnerabilities. Since the solutions didn’t have context to operations, they couldn’t advise the client on mitigating controls to reduce exposure to their vulnerable devices.

The solutions also required extensive long-term tuning which added additional noise to the already alert-fatigued Security Operations and Network Operations teams. These teams often lacked domain knowledge in engineering, process, and building automation and they did not understand what to do next or how to action the alerts.

These facts have resulted in CISOs having to report to the Executive committee and ultimately to their board, failed projects in OT security that have cost enterprises millions in lost capital and operational expenditures.

Overly-hyped marketing has misguided the industry in various ways. Technically inaccurate descriptions of solutions led customers to believe they would get more than the marketed solutions could deliver. Also, the use of overly technical jargon led companies to select products based on IT requirements instead of focusing on operational solutions that enable safe and reliable systems.

Attending many of these vendor conferences, I have either walked away, shaking my head, or scratching it. The converse, where the presentations have been so technically focused on jargon, I didn’t understand what they were presenting or trying to present to their prospective clients. If I didn’t understand, I am certain most of the audience was lost, but the content was presented with such confidence, that I can see the audience concluding that the purported domain experts were correct, and therefore desired their products. They knew more than us, therefore they had to be correct?

Most, if not all, of the visibility and IDS solutions still on the market today focus on network visibility, and network maps of who’s talking to who and what protocols are in use. I want to make this clear, who’s talking to who is past tense, it’s what’s happened, it’s indicators of compromise. I would much rather focus on prevention. I have always found these solutions to be too focused on networking, and have been built from an IT perspective. If they were designed with OT in mind, the understanding would have been built from the process perspective, after all the domain is process Engineering, and the domain owners understand the process, not always the network.

That’s why I conclude that misguided visibility and IDS vendors have caused extensive capital and operational expense without true risk reduction because they have taken an IT approach to OT Security. Operational Risk Management wasn’t truly considered as they didn’t focus on the Engineering discipline and the reduction of Risk, rather they focused on the Network, Limited Asset Visibility, and Vulnerabilities without considering process resolving issues. The solutions did not reduce risk, increased complexity, and didn’t embrace the domain owners who should be one of the identities within the enterprise responsible for risk reduction, the operators of the process environments. There seems to be a lack of understanding from these vendors about true OT security requirements. Therefore, we see many dissatisfied clients, in the trough of disillusionment, who are either augmenting these solutions, not renewing them, or taking them out of their environments.

Many customers have chosen to use them as one-off tools to help conduct assessments, and they don’t fully deploy these tools across their entire enterprise because they recognize the limited value of these tool sets to help assess environments and they don’t manage Risk. Customers are beginning to understand that these solutions don’t fit into the Operational context required for continuous Risk Management and Mitigation. Clients either develop internal tools or are looking to new emerging vendors like OTORIO, to solve the Risk Management and Mitigation requirements because they have determined these tool sets do not give them what they need as they mature on their overall Security and Risk Journey within OT.

The greater degree of oversight is a direct result of failed projects mentioned above. The Executive has concluded that OT security is a cross-functional and Cross-Domain need requiring the inclusion of C-Level Executives and functional management representing functions of their business including Governance Risk and Compliance. Operational Security, Informational Security, Cyber-Physical Operations, Industrial Controls, Building Automation & Industrial Internet of Things Engineering, Architecture, and Planning while also including Cross-Domain Expertise from the Executive Domain, Engineering Domain, Information Domain, and People Domain owners. People, Process, and Cultural Changes are required to effectively build OT Security and Risk programs into the Enterprise.
The inclusion of Data Analytics and Data Science Expertise is also happening within advanced Enterprises because of the use of sensors, IIoT, data lakes, AI/ML models with data science that assist the Enterprise not only to make better business decisions based on data-driven analysis but also better Security and Risk-based decisions based on data-driven analysis. This helps align Security, and Risk decisions directly to business outcomes which is what the Executives truly desire.

I am very interested in next generation visual analytics of data. I am influenced because of a brilliant data scientist friend who has shown me such systems, and I believe over the course of the next few years we will see OT Security and Risk Management systems incorporate these leading edge designs of data analytics. Platforms to help human beings process operational contextual data in visual ways that we do not see today, those visual ways will allow Executives and other domain owners to understand context to operations, and business outcomes visually to help guide them to quicker decisions based on a multitude of points of input.

In parallel, the Insurance Industry is revamping how it approaches insuring enterprises that have Cyber-Physical systems because of significant losses in the past few years. They have realized these losses as a direct result of technology-based approaches for the validation of security measures. Insurance companies and their adjusters have asked clients to document their security measures in terms of technologies deployed without truly understanding security effectiveness and gaps in configurations that have resulted in many enterprises experiencing significant breaches while carrying insurance.
One-off Threat Risk Assessments (TRAs) are not effective in determining Risk because of the nature of constant change. Insurance companies have also concluded that “snapshot” in time Threat Risk Assessments Enterprises who are digitizing (Industry 4.0) their operations are in constant flux because of change to their environments, as Operations in Industry 4.0 is truly agile business models designed for change.

Insurance Companies are realizing the need for continuous security risk-based, configuration monitoring, and digital framework alignment to assess an insured client for insurability at all times of operation. It only makes sense, attackers are operating continuously, changing tactics, techniques, and procedures to attack the Enterprise. Continuous Risk, Configuration, and Framework compliance monitoring along with human intervention and automation is the natural evolution to defending against this modern threat. Insurability should be in direct alignment with Executive decisions on how and how much to invest in continuous Cyber-Physical Security Risk Management and Mitigation. This is why I believe Cyber Security Management Systems (CSMS IEC-62443), or Cyber-Physical Management Systems (CPS – Gartner) will become commonplace in the next few years, as these systems are the foundation of Risk Management, Mitigation, Insurability, Safe, Sustainable, Reliable, and Resilient Cyber-Physical systems and their ongoing 24x7x365 Operational environments of the Enterprise.

With greater oversight, comes greater demand for assurance of solutions that focus on Risk Reduction for the Enterprise. IEC-62443 has called for CSMS Cyber Security Management Systems within the Framework for a long time. CSMSs are coming into reality because Enterprises are demanding them systematically in 2023 because of all of the above-described conditions caused by the failure of OT Security Solutions. Focusing on the Network has created incomplete security measures from visibility and vulnerability without truly focusing on Risk and Mitigation of Risk within the Environments they have served.
The bright side of all of this, customers are demanding more, which means we will see vendors focused towards Risk Data Driven approaches.

Customers of all sizes are demanding an OT security practice approach that helps develop Cyber-Physical expertise cross-domain and cross-functional teams to be able to support the overall Security of the Enterprise. The domains, being Information, Infrastructure, Engineering, Operations, Security, and Governance. Clearly there are sub-domain within each of these domains as well. Cross-functional, since digital transformation is working to flatten silos of the business(functions), breaking down barriers of those silos, having teams work together in agile business models to ensure business output with focus and interconnection of supply chain, Customer relationship, Engineering, Manufacturing resource planning, Manufacturing of products to customer experience that include omnichannel delivery of final product and solutions to the markets they serve.

The changes, due to Industry 4.0 Digital Transformation, within business structure, operations, and interconnection is causing the attack surface cross-domain, and cross-function to grow exponentially. This is one of the reasons which clients focused toward Visibility of assets, but that wasn’t the end goal, it was simply the beginning of the Security Maturity Journey in OT.
The establishment of OT Security practices towards Risk Management with the right information into the right domain owner, and functional owner allows for the systemic Enterprise ownership of Security needs, measures, performance, along with Risk Reduction across the operational aspects of the business. Combined with Enterprise Management and Analytic systems already in place within most Enterprises, this approach allows the Executive to have a viewpoint of Risk across the Entire Enterprise, not just IT. Cyber-Physical Risk Management Systems enable domain owners to understand Risk in their domain context, while bridging the gap in communication cross-domain ensuring greater understanding between functions of the business on how to address and reduce Risk in concert with each other.
In addition to Risk, the systems allow the Executive to actively see continuous risk calculations, mitigations, and configuration changes to drive toward better business outcomes while ensuring greater security effectiveness. Dashboarding of this nature, allows the Executive to answer the question, what Risk do we have today, at this time to the business and our objectives?

Michelle Balderson

Michelle Balderson is a unique, passionate, highly motivated individual who cares about people. I'm diverse by nature and strong to my core. Supporter of Diversity & LGBT+ Full of color and emotion, while being very focused on Business Outcomes. Strategic advisor with depth of skill within Information Technology and Operational Technology Security. Highly passionate individual who cares about people, while bringing focus to people, process and technology to help solve our business challenges today. Too often we are led by hype of the Industry, rather than focusing on process. It's imperative that we gain visibility to bring control to our environments where we have actionable intelligence to make strategic business decisions and changes to strive and grow within this ever complex and competitive business environment. Security should be a part of the fabric of business, rather than a bolt on after thought. My objective in life is to ensure Security is elevated beyond the product and technology approach most organizations take today. Security should be a trusted advisor to the business. Michelle is a seasoned professional who is process driven with a technical acumen. She is currently Global Security Executive at OTORIO, where she focuses on consulting Enterprise clients on Risk to their Operational Environment. She’s known for her knowledgeable approach to security solutions well beyond simple technology discussions. She coaches clients to think beyond the technology, focusing Risk to the business objective, in combination with foundational security principals. She strongly believes it is important for you to understand what assets need to be protected, why they need to be protected, and what Risks in context to Business Objectives. Michelle has supported the deployment of cybersecurity solutions for IT and OT organizations globally. She is known for thinking beyond technology to the people, process and corporate culture that will be impacted with change. She is driven to align projects to the business objective and desired outcome rather than industry hype.