Magazine

FM College ~ News & Articles

Is What We’re Doing Working?

Nov 15, 2024 | Public | 0 comments

Throughout the past decade, some things in the OT cybersecurity industry have not changed or, at least, changed very little. A small percentage of asset owners has detection tools deployed at scale, despite it being an established product market. Systems remain inherently vulnerable, asset owners continue to struggle to maintain OT cybersecurity talent, and comprehensive risk-management programs are very rare.

What has changed is recognition of the risk, mindshare amongst organization leaders, and regulations that are beginning to include punitive remedies such as legal and financial penalties under certain conditions. Recent examples of the latter include the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), that drove the requirement for covered entities to report cybersecurity incidents, and Transportation Security Administration (TSA) directives that place requirements for network segmentation, access controls, monitoring and detection, and patching across transportation entities such as airports and railways.

These shifts are driving formal responsibility and accountability toward CISOs, as well as prioritizing a focus on business risk (vs. technical mindsets) amongst the CISO population. The question increasingly asked is, “For my OT cybersecurity investments, can I demonstrate the business outcomes it achieved?”

That question has been notoriously difficult to answer. Even insurance providers, the actuarial masters of the universe with ostensibly the greatest amount of OT cybersecurity incident data on hand, have struggled to quantify the risk for one simple reason: the numbers are too volatile. For practitioners, service providers, and vendors, this poses a challenge and an opportunity. While it is difficult to answer, those who can will certainly earn the attention (and the dollars) of CISOs.

For the industry to prove business outcomes, data sourced from providers and users is needed, along with tracking of that data, before and after solutions are implemented. Projects to address this challenge exist and are in the works. One example is the Emerging Threat Open Sharing project (ETHOS), formed by a collection of organizations with a goal of making an open-source platform available for real-time, anonymous-threat information sharing. As an example, the ETHOS platform would allow organizations to be alerted when a security threat occurs at another participating organization, without disclosing any sensitive data about the source, and would be available to organizations regardless of what technologies they do and don’t have. 

While information sharing such as (but not only) ETHOS would be an important step toward knowing “is what we’re doing even working,” it would also drive progress forward in many other areas. Further, impact data is what will evolve leading OT cybersecurity standards, such as ISA/IEC’s 62443 series of standards.

Ultimately, the shift in mindset toward business outcomes is timely, and needed. It will drive demand for data that we must have. It will promote collaboration between governmental and commercial entities,  even competitors, and steer users and providers toward solutions that make a real impact. EP

EP Editorial Staff | October 15, 2024

By Jacob Chapman, Nozomi Networks

Jacob Chapman is Director, BD & Alliances, at Nozomi Networks, San Francisco (nozominetworks.com), where he leads the organization’s partnerships with strategic OT OEMs and technology vendors. He also serves as an advisory board member to ISA’s Global Cybersecurity Alliance.

The post "Is What We’re Doing Working?" appeared first on Efficient Plant

0 Comments

Submit a Comment

Five interior design trends for winter

As the days grow shorter and temperatures drop, those aspiring for a seasonal change in home design are shifting toward...

Achieving aggressive sustainability goals

Innovation and progress toward sustainability goals require creative thinking and bold action. And an ingrained willingness...

FM priorities in 2025

  2024 was a year of change. The election of a new Government heralded an historic budget and plans to overhaul...

Using Technology to Navigate FM Trends in 2025

Facilities managers have faced various challenges throughout 2024, including sustainability, labor shortages, and...

SIA Reveals Security Megatrends of 2025

The Security Industry Association (SIA) has released its 2025 Security Megatrends report, which identifies the top 10...