The energy sector faces a cyber double whammy, IT infrastructure that is vulnerable to the same security, compliance and privacy risks faced by any IT organization, along with the additional burden of OT security which has its own set of security and compliance risks with the addition of safety concerns.
IT and OT also differ on what is at risk. For IT, it is usually “data @ risk”. For OT it is often “process @ risk”. The general cyber security community is mostly focused on the issues of “data @ risk” – both from the offensive and defensive view. “Process @ risk” is a fundamentally different beast, not the least because disrupting a process usually requires at least some rudimentary understanding of the process. That along with the “unusual” devices, OSes and protocols used in OT (especially ICS) has given OT a modicum of security through obscurity. Obscurity is a useful concept, especially in the sense of “need to know”, but in the long run it is difficult to maintain obscurity (especially in the digital world) in the face of a serious attacker. Besides, IT-OT convergence driven by business needs is taking away even that small advantage.
This means that the energy sector has to deal with IT “data @ risk”, OT “process @ risk” and the IT-OT combination of “assets @ risk” and “business @ risk”. They also have both IT and OT guidelines, standards and regulations that need to be verified and monitored. Let’s not forget that the ubiquitous NIST Cybersecurity Framework (CSF) actually started life as the Framework for Improving Critical Infrastructure Cybersecurity.
This doubling of complexity means that energy management must move towards the combined risk management of IT and OT security. Such a shift to holistic risk management requires an outcome-based view of cybersecurity that integrates IT-OT security, compliance and privacy requirements based on knowledge and understanding of the organizational risk management strategy and its application to both IT and OT domains.
A move towards combined IT-OT security requires 3 ingredients:
- Risk based security-based IT-OT threat and compliance modelling.
- Addressing the increasing convergence IT and OT threats – both between physical and virtual infrastructure as well as IT and OT networks.
- Continuous verification and monitoring of the combined IT-OT assets based on a digital “cyber twin”.
At Orchestra Group we and our partners are working on a unique approach to achieve all three goals, both for IT and for OT.