The CISO's guide to effective OT security: Overcoming challenges and fostering collaboration

Operational technology (OT) systems have long been common in industries such as manufacturing, utilities, and healthcare. However, as these systems now increasingly integrate with IT networks, they are becoming the responsibility of the Chief Information Security Officer (CISO). As a result, CISOs in these sectors need to secure OT systems alongside traditional IT systems. This added responsibility has significantly increased the demands on security leaders.

Now, to safeguard both IT and OT systems, CISOs must possess the right knowledge and resources. Understanding the complexities of OT systems is necessary for the protection of vital operations and infrastructures, however it can be difficult to separate genuine expertise from sales hype. 

To support security leaders effectively and ensure they have the right tools for securing the business, it is essential for business leaders to understand the challenges that their CISOs face. At the same time, the security industry has a crucial responsibility to lead with insight, helping over-burdened security leaders manage OT effectively.

The growing pains of OT security 

The process of organizations converging their OT and IT is still in its early stages, but as demand for solutions rises, many vendors claim expertise but lack true proficiency. This makes it challenging for CISOs to distinguish genuine expertise from clever marketing, especially as they are getting to grips with OT security themselves. 

Particularly, vendors with verticalised expertise, such as those in the manufacturing, healthcare, and energy sectors, face significant challenges. Using existing IT security tools in OT environments proves impractical due to system fragility, unique architectures, and proprietary protocols, which create operational risks. Outdated visibility approaches that rely heavily on passive-only discovery methods fall short of providing comprehensive insights needed for strong OT security.

The lack of actionable insights from incomplete asset inventories further hampers the ability to prioritise and remediate vulnerabilities effectively. Moreover, the necessity to stitch together multiple-point products for specific security functions leads to increased investment, complexity, and security blind spots. This fragmented approach escalates costs and complicates the integration and maintenance of a cohesive security posture in a landscape marked by growing cyber threats.

Apart from vendor responsibilities, organisations must also internally prioritise developing real visibility into the relationship between IT and OT environments. Comprehensive risk assessments and a thorough understanding of IT and OT assets are essential. Without such foundations, securing these environments is nearly impossible.

Encouragingly, Claroty's recent report of over 1,000 IT and OT professionals shows progress in areas like network segmentation and vulnerability management, reflecting a growing commitment to improving OT security.

Navigating the CISO's dual dilemma 

We've observed a trend of CISOs taking charge of OT security in the private sector, particularly in utilities like power and water. However, many CISOs face challenges in asking the critical questions necessary for effective OT security. They often naturally rely on familiar vendors who may not have the specialised knowledge required for these complex systems. CISOs often hesitate to adopt new technologies or strategies due to the fear of being seen as 'guinea pigs'. This fear contributes to a broader issue concerning CISO wellbeing, where the high-stakes nature of their role and the pressure to avoid mistakes can lead to significant stress and a reluctance to innovate.

This situation has contributed to a surge of vendors entering the OT security market, eager to capitalise on the growing demand. However, not all of these vendors possess the necessary expertise, making it difficult for CISOs to identify the most effective solutions. As IT and OT become increasingly interconnected, finding the right solutions has become crucial for CISOs to ensure robust security.

From sales pitches to strategic insights 

The security industry has a responsibility to help CISOs navigate the complexities of OT security. However, the influx of vendors offering OT security solutions has created a busy marketplace where genuine expertise is often overshadowed by more persuasive, yet less knowledgeable, competitors. This makes it harder for CISOs to discern which vendors truly understand the complexities of OT security and which are simply jumping on the bandwagon.

To truly support CISOs, vendors must lead with knowledge-sharing and strategic advice, shifting from a sales-centric approach to one that prioritises insight and education. This means providing logical understanding and in-depth insights about the intricacies of OT security, rather than merely trying to sell their solutions.

Vendors can sometimes be so focused on promoting their products that the specific needs of the CISO or the company may be overlooked. The emphasis on selling products often takes precedence over providing the right guidance and accurate information. 

To address this, CISOs need to look beyond the noise and evaluate vendors based on their proven track records and deep understanding of OT environments. This involves seeking out those with a history of successful implementations and a comprehensive grasp of the unique challenges faced by industrial systems. By doing so, CISOs can move away from the marketing hype and make better-informed decisions based on proven expertise, ensuring their company gets the best possible solutions and developing an environment of reliability and trust between CISOs and vendors.

The hidden costs of CISO turnover 

High turnover rates among CISOs contribute to a natural aversion to risk, which hinders the effective securing of OT environments.  Many CISOs are understandably cautious about trying new solutions, as they do not want to be perceived as taking unnecessary risks. This careful approach, while reasonable, can sometimes slow the progress needed for robust OT security implementations. 

It is essential to create an environment where CISOs feel supported and confident in exploring innovative security measures. This includes providing them with the necessary resources, knowledge, and assurances to make informed decisions without undue fear of failure. CISO’s well-being should be an utmost priority. They need to feel valued and secured in their position to have the ability to take calculated risks towards advanced security practices. 

Only when there is a culture of support and continuous learning will the CISOs feel empowered enough to lead with confidence. This will help them make better decisions and meet the growing demands of today’s advanced world.

Ultimately, OT security demands a collaborative effort between vendors and CISOs to adopt robust, well-informed security measures tailored to each organisation's unique needs. By prioritising expertise over marketing hype and fostering a supportive environment for CISOs, we can enhance the security of critical OT systems. Empowering CISOs with the necessary resources and confidence will ensure they can lead effectively, navigate the complexities of OT security and drive progress in protecting our increasingly interconnected world.

Photo credit: Den Rise / Shutterstock

Andrew Lintell is General Manager EMEA at Claroty