Prioritize OT-specific cybersecurity budgets for enhanced defenses, reduced cyber threats impact

Rising threats and attacks against OT (operational technology) environments, increasing instances of halting operations or production in an ‘abundance of caution’ situation, and a volatile geopolitical threat landscape has forced asset owners and operators to prioritize OT-specific cybersecurity investments to effectively address the unique challenges and risks associated with protecting OT systems. By working towards allocating appropriate cybersecurity budgets and resources, businesses can strengthen their defenses and minimize the potential impact of cyber threats on their OT environments.  

Creating OT-specific cybersecurity teams requires investing in specialized skill sets and expertise to understand the unique challenges and threats that exist in OT environments. These teams need to have a deep understanding of the industrial control systems (ICS), OT protocols, and operational processes that are at the core of OT environments.

A survey released earlier this year by OTORIO and ServiceNow highlighted a shift in OT security strategy. Data revealed that 78 percent of stakeholders plan on increasing their OT security budget in 2023, 20 percent plan to reduce it, and 2 percent will not change the budget. Companies are in the midst of a global economic crisis, where investment funds are drying up and departmental budgets are being cut across the board. The 20 percent who plan to cut are exposed to further attacks and business interruptions due to a lack of resources.

It’s clear that OT security is a significant concern for critical infrastructure and manufacturers when more than three-quarters of them are increasing their spending in this environment. Companies that plan to increase their OT security budget will increase it by an average of 29 percent. This is a significant increase, suggesting that they are seriously concerned about protecting the OT environment from malware infections, DDoS attacks, and other common threats.

Industrial Cyber recently reached out to OT executives to gain insights into how the OT budget is currently being allocated. They also investigated the ownership, approval, and decision-making processes surrounding the budget, as well as any recent changes that have taken place. Additionally, the executives analyze the key decision-makers for OT cybersecurity budgeting and the factors that influence their decision-making.

“We continue to see the lion’s share of budgets spent on high-tech installations focused on asset inventory and vulnerability management but see increasing budget pressure downward as asset owners challenge the value of those expensive systems compared to investments in people and processes,” Ted Gutierrez, CEO and co-founder of SecurityGate, told Industrial Cyber. “Secondly, service contracts for OT environments are seeing a considerable upswing, again as asset owners seek to bridge the gap from vulnerability identification to developing their processes and team internally to manage.”  

Gutierrez said that the OT director (or equivalent) remains the top driver of investments. “We are seeing increasingly more speculation from CIOs, CFOs, and believe it or not – IT Directors. We also find an increasingly visible shift from ‘pure OT budgets’ to embedding security solutions within existing IT budget/procurement infrastructures. Perhaps asset owners are finding it easier to find, manage, and rotate vendors effectively using existing reporting/budgeting systems. However, the case remains strong that automation groups own a huge portion of the Level 0, 1, and 2 investments, and if organized appropriately, we still see those groups driving security sales.”  

“OT Security budgets are increasingly falling under the CISO/CIO groups, rather than just facility or operations management,” according to Gutierrez. “We expect this trend to continue as CFOs and Boards of Directors exert more influence on overall security investments in the coming years. Moreover, we’re seeing signs of OT security being directed by the CIO as part of digitization initiatives.”

Gutierrez said that the factors influencing decision-making vary significantly based on a few key factors, including how mature the OT security functionality is in the company. If mature, we see some companies flatlining as non-technical influencers start connecting kinetic attacks (or the lack thereof) to big-ticket spending. It also depends on where the company’s digitization strategy is and how does OT/automation fit within that strategy? “We observe a direct correlation between OT spending and the significance of digitization in an asset owner’s strategy. This implies that through OT/IT consolidation, the digital consolidation owner will oversee the budget moving forward.” 

He also added how much trust is placed on CEO/CFO/Board in the current IT/CIO/CISO leadership, and how expansive are their experience levels to handle the management of new groups like OT. “This is one of the largest ‘swings’ we’re observing from engagements.”

“Some asset owners have clear confidence in their IT leadership and OT budgets fall under them; resulting in more services pulled in from OT-specific groups to balance knowledge gaps,” according to Gutierrez. “We also see that OT budgets are ‘thrown’ at IT folks not (yet) confident or capable of implementation, resulting in a mismatch of value generated in years 1-2 between the OT vendors and the asset owners; resulting in more pressure placed on budgets in follow-on years.” 

The majority of OT cybersecurity budgets are still under the control of IT, Dino Busalachi, CTO and co-founder of Velta Technology, told Industrial Cyber. He added that most organizations do not specifically call out a line item for an OT cybersecurity budget. “OT cybersecurity is still considered a new and emerging practice in most organizations. According to Gartner, most organizations are still in the discovery or firefighting phases of cybersecurity, with a small percentage actively implementing and operationalizing a security solution.”

“Very few organizations have deployed data collection (sensor) technologies to collect east–west traffic from ICS. Within industrial environments, at least 90% or higher are only collecting north–south traffic from within the ICS environment,” Busalachi highlighted. “Retrofits to install sensors to collect east-west traffic within ICS environments are costly and come with many unknowns. Ideally, clients should be thinking ahead and adding cybersecurity technologies and solutions proactively when deploying new machine centers (ICS).”

OT for the most part has yet to embrace cybersecurity responsibilities or create roles specific to determining the current state of the cybersecurity posture of the ICS, Busalachi confirmed. “CIOs and CISOs or other relevant IT infrastructure roles are not delving deeper into the current state of the ICS cybersecurity.”

He added that the IT staff’s lack of familiarity with ICS architecture/infrastructure/networks, applications requirements, processes, and operations, has made them too far removed to be effective in determining OT cybersecurity budget requirements.

Mark Carrigan, senior vice president of process safety and OT cybersecurity at Hexagon Asset Lifecycle Intelligence, told Industrial Cyber that while the owners and approvers of OT cybersecurity budgets vary from company to company, most are either owned or have a strong affiliation with the IT security team. “The key decision makers tend to be both traditional security people as well as operations leaders. A key question to ask is ‘Who owns managing the OT cybersecurity risk?’ If the answer for an organization is the IT security team, they will typically manage the budget. If the answer is operations then they tend to own the budget.”

“A key trend is emerging that is affecting the OT budget decision-making. Companies are realizing that OT security is a risk that must be measured, managed, and driven to an acceptable level,” Carrigan pointed out. “Companies are looking for solutions to help them develop a consistent methodology to identify and measure risk, allowing them to make good decisions on investments that will reduce the most risk.”

According to Carrigan, another trend is technology consolidation and integration. “Over the past few years, companies have implemented multiple solutions to improve OT security, but many are stand-alone and not integrated. Owner-operators are now rationalizing their security stack, finding opportunities for consolidation, and focusing on integration between the disparate solutions.”

While examining the mechanisms organizations use to determine the appropriate level of investment for OT cybersecurity, executives also assess whether the OT sector receives its budgets from the IT sector or if boards are more understanding of the specific budget needs of OT.

Gutierrez said that one of the top ways to truly dictate, drive, and enhance OT cybersecurity budget remains – and will remain long-term – an effective assessment of systems, facilities, people, and processes. “We see gap or controls-based assessments unlocking more value and ‘risk’-oriented assessments oftentimes confusing non-technical leaders more than intended based on the subjective nature of ‘risk’ assessments implemented, especially by highly experienced consultants. In other words, we’re finding the simplest exercises often result in clarity, which leads to higher budgets,” he added.  

“This is a toss-up and generally links back to the internal teamwork and trust between technical and non-technical leaders within a given company,” according to Gutierrez. “We are, though, absolutely seeing an increase in the number of IT professionals being authorized (or told) to start managing OT budgets/execution.”

Busalachi said that without a clear picture of an accurate OT asset inventory, determining the appropriate level of investment is a guesstimate. “Ninety-nine percent of organizations are uncertain of the number of OT assets they have within their ICS environment. The board and senior level leadership 100% think they’re getting their OT cybersecurity budget from IT, but the IT budget is already allocated for IT enterprise cybersecurity requirements.” 

He added that the OT cybersecurity budget is an afterthought and not spelled out clearly to determine the risk associated with the ICS environment.

Furthermore, “the board assumes IT has the ball with OT cybersecurity budgetary needs. They falsely believe IT is handling and covering OT cybersecurity initiatives, when in fact they are not,” Busalachi said. “This is apparent with the lack of relationships between IT and OT in relation to the ICS supply chain landscape. At a minimum CIOs and CISOs should meet annually with their ICS automation technology providers, similar to the way IT leadership typically meets periodically with whatever IT technology provider they spend millions of dollars with.”

Carrigan said that this is truly a mixed bag at this time. “While the majority of owner-operator executive leadership continues to view OT security as a discipline with the IT security framework, and OT security budget as a percent of the overall budget, some companies are dedicating a specific budget to OT. This is especially true when a company has identified that a severe OT security event has the potential to have a catastrophic impact on their ability to conduct operations,” he added. 

Evaluating how OT cybersecurity teams make the case to management and what approach works, Gutierrez said that this is seen as “the largest, most necessary growth for the OT, ICS, and security sector at large. Connecting business outcomes to cyber investment is a win-win scenario OT cybersecurity teams can make when working with management.” 

He added that often, highly technical OT leaders struggle to effectively showcase the value of their investment strategy in business outcomes or financial terms. “Ensuring the controls/gaps/risks averted or closed match to a unified business outcome strategy is key.”

Busalachi said that OT cybersecurity teams could make the case to management by demonstrating the ‘gaps’ between IT and OT (roles and responsibilities). “They are real and are often overlooked. One of the key disruptors impeding operations is IT (technologies, solutions, and behaviors) impacting production and plant floor operations, costing organizations millions of dollars in loss.” 

He added that eliminating unplanned/unscheduled downtime is priority one right next to safety. “Bridging the gap in understanding and ownership by OT of their cybersecurity can prevent catastrophic loss and organizational risk.”

“One of the most effective methods to justify a security investment is to demonstrate how certain best practices can bring operational benefit. As an example, a comprehensive inventory that includes all software, hardware, and firmware on an OT network can greatly enhance an obsolescence management program,” Carrigan said. “Owner-operators receive regular updates from their control system vendors on components that will be rendered obsolete in the near future. Once notified, companies struggle to know if they have any of these systems on their network and if any of those are controlling a critical process.” 

He also mentioned that a comprehensive obsolescence management program, built upon the foundation of a comprehensive inventory, can improve OT reliability while reducing upgrade costs.

Another example Carrigan cited is having a configuration management database (CMDB) that “allows you to recover from a cyber incident as well as ‘innocent’ mistakes that continue to plague control system reliability. A recent incident at a processing company illustrates this point. During a routine maintenance exercise, a control engineer unwittingly deleted the configuration of an entire DCS network.” 

He added that because the particular task was considered a ‘low risk,’ they did not back up the DCS configuration. “Fortunately, they had a CMDB that they could use to rebuild the control system – the owner reported that without the CMDB the production outage would likely have lasted over 2 weeks compared to the one day it took to restore operations,” Carrigan revealed.

The executives also evaluate the effect that federal directives have on OT budget spending, and how organizations typically make provisions for such adjustments. 

“Depending on the sector, federal directives are unlocking some budgets for OT program,” according to Gutierrez. “However, they oftentimes create more confusion across the security teams. With shifting guidance on shall vs may and varied guidance on reporting timelines and indefinite criteria for incident, event, or breach.”

Busalachi said that “very little at this point, the feds have implemented minor regulations for critical infrastructure. The feds have instructed some critical infrastructure organizations to create an asset inventory, but this does not include how to collect the data or what the data needs to entail. Many will perform a manual asset inventory collection which is not enough because the assets inventory changes daily. This means that the day after the asset inventory is collected it’s already incorrect.” 

He added that very few if any (except nuclear power plants) are collecting the east-west traffic nor determining the risk or vulnerabilities associated with the ICS assets. “The fed is more of an oversight body with little actual control, coupled with the majority of critical infrastructure organizations being privately owned and ‘not’ public companies.”

“At this time it is difficult for owner-operators to make decisions on OT security spending based upon federal directives due to multiple regulations and standards that continue to emerge,” Carrigan said. “As an example, one particular facility could be affected by standards or recommendations issued by the Transportation Safety Administration (TSA), Department of Transportation (DoT), and even the US Coast Guard.” 

He added that owner-operators are recommended to pick an industry-recognized security framework (such as IEC62443 or NIST), develop a comprehensive security program, and then adjust as needed to meet specific regulatory requirements if and when they become mandatory.

Looking into whether it is possible to find solutions that address security issues, as well as support reliability and save operational costs, Busalachi agreed and added that it requires due diligence in implementing the same measures and controls around ICS assets as organizations do for the enterprise. 

“Unfortunately, most organizations are not applying the same amount of due diligence to secure and protect ICS as they do the enterprise,” he concluded. “These truths are easily identified when performing tabletop exercises or other assessment-related research by qualified OT cybersecurity practitioners.”