Creating a Robust OT Cybersecurity Foundation: Start by Posing the Correct Queries

Catch up on the OT Data Revolution Series for further insights:

• Unveiling Industrial Digital Transformation: Decoding the Secrets of OT Data
• Beware of these OT Data Pitfalls that Could Jeopardize Your IDX
• Revamp Your OT Data: From Good to Great with Four Key Abilities
• Can OT Data Shine Beyond its Guarded Barrier?
• Access our white paper to uncover the undisclosed aspects of OT data
• If you desire to delve deeper, please explore our microsite. 

In light of the onset of the COVID-19 crisis, the momentum of digital evolution has surged significantly. Simultaneously, enterprises have grown more conscious that the trailblazers in this fresh digital realm will be those who oversee and govern their on-premise OT data. Hence, organizations aspiring to lead the pack must initially foster effective cooperation between their IT and OT divisions to enhance oversight of their OT data. Inevitably, the amalgamation of IT/OT has turned into a pivotal gauge of a firm’s potential expansion. Yet, despite its significance, the merger of IT/OT still appears implausible to many establishments primarily due to a solitary impediment: cybersecurity. As per a survey by International Data Information (IDC), enterprises tread cautiously around IT/OT unity owing to their apprehensions regarding its cybersecurity repercussions.

For a commencement, reiterating the importance of cybersecurity may seem cliché. However, upon closer examination, it emerges that while IT has given precedence to cybersecurity, the same cannot be affirmed for OT. In recent times, industrial digital transformation (Industrial DX) has driven OT beyond their confined intranets into the vast realm of the Internet. Manifesting a plethora of threats that lurk behind online connections, cybersecurity has instantaneously morphed into an exigency within the OT sphere—one that needs immediate resolution. Nonetheless, to navigate through this ocean of predators safely, Moxa and YNY Technology, an industrial digital solution provider headquartered in Malaysia and Moxa’s collaborator in various IIoT ventures, have identified the quintessential hurdles that necessitate elucidation whilst fortifying your control systems for cybersecurity objectives. In this discourse, we scrutinize these obstacles via three commonly posed queries (CPQ) juxtaposed against inverse inquiries, which we fondly dub a query beyond the query (QBTQ), to guide you in fortifying your cybersecurity tactics.

CPQ 1 vs. QBTQ 1

“Who’s in charge of this cybersecurity endeavor?” vs. “Where does my cybersecurity strategy exhibit vulnerability?”

From an organizational stance, focusing on who ought to spearhead a project that now falls under OT yet encompasses an essentially IT-centric chore can be diverting. While OT personnel may assert their inadequacy in terms of training and exposure to tackle cybersecurity, IT staff may voice similar concerns regarding their interaction with OT machinery impacting overall operations. In this scenario, both sides have valid points since neither department possesses complete proficiency in both cybersecurity and OT functions, thus creating a dilemma. Endeavoring to assign responsibility merely based on experience seems futile. Consequently, we propose clients adopt the “spot the issue first” methodology. Thus, instead of pondering “who is qualified to take charge?”, the dialogue now commences with a risk and susceptibility assessment. This evaluation identifies plausible threats from an impartial viewpoint, such as unregistered or high-risk OT machinery, obsolete software or services, governance loopholes induced by human mistakes, etc. These objective evaluations serve as an excellent starting ground to delineate a lucid inventory of objectives for both OT and IT departments to synergize effectively and redress prevailing issues.

CPQ 2 vs. QBTQ 2

“What’s the return on Investment (ROI)?” vs. “What’s the price of Inaction (POI)?”

In the realm of OT, ROI is the quintessential yardstick when mulling over investments in new installations. However, if ROI is employed to gauge the expenses and advantages of cybersecurity, the outcome (i.e., funding from superior authorities) often proves underwhelming. This is attributable to the nature of cybersecurity. Its prime objective is risk mitigation; hence it shouldn’t be assessed as a growth-oriented “investment.” Ergo, the real query should be: “Should we forego action now, what are the potential repercussions?”, also identified as POI. The jeopardy of idleness concerning cybersecurity frequently surpasses initial estimations. Ergo, POI can aid enterprises in evaluating the ramifications of plausible cybersecurity perils from a more pragmatic standpoint and, furthermore, expedite the decision-making process regarding a project through prioritization.

CPQ 3 vs. QBTQ 3

“What’s the safest resolution?” vs. “What’s the most apt resolution?”

Subsequent to addressing the aforesaid quandaries, which not only unveil and prioritize cybersecurity vulnerabilities, assessing your scheme, methodology, layout, or tools becomes imperative. As the majority of prevailing cybersecurity methodologies, tools, or amenities are devised from an IT outlook, they may not inherently be ideal for OT implementation. For example, a client in Southeast Asia was advised by their IT division to activate a screen lock feature on both computers and on-site human machine interfaces (HMI) to thwart hacking attempts. Nonetheless, while this is a plausible resolution for IT settings, it doesn’t consider the necessity for a machine to promptly counter anomalies in an OT setting. For instance, should an anomaly surface at a site, the response time to regain control of the system might need to be within milliseconds to avert substantial losses. Should time be expended awaiting the operator to input the accurate passcode, the delay could yield astronomical financial or existential repercussions. Hence, when selecting a cybersecurity resolution, it’s not the most costly or acclaimed solution that triumphs. Picking the appropriate resolution tailored to your distinct requisites holds paramount significance.

“Cybersecurity transcends being solely a technical enigma, it morphs into a commercial quandary as well.” Evident by the recent surge in cybersecurity assaults within the industrial landscape, it’s conspicuous why cybersecurity stands as a pressing concern for the majority of business proprietors. Through metamorphosing customary FAQs into QBTQs, a sturdier groundwork can be established to construct a fitting cybersecurity blueprint for your enterprise.

Are you eager to unravel more about the concealed facets of OT data?​​ Listen to OT Data Next here: