As recent cyberattacks have demonstrated an increased risk to both IT and operational technology (OT) environments, resilience readiness today has evolved. It is more than a cybersecurity strategy and involves the enforcement of rules and policies that provide the visibility, control, and situational awareness to respond at the speed of business while ensuring that safety and reliability are maintained. 

Fortinet's CISO for Operational Technology, Willi Nelson, shares his perspective on considerations when developing cyber resilience, covering fundamentals and strategic planning, to protect the convergence of IT and OT environments.

What does cyber readiness look like in operational technology environments?

Willi:In light of recent events spanning the last three to five years, there has been an uptake in readiness and awareness within the industry. From pipelines to pharma and transportation, boards are becoming involved in that discussion, which turns the readiness discussion away from just, "Are we prepared?" to now reporting on it. For example, some organizations have a dedicated individual that is working specifically on readiness across the organization. They are responsible for understanding whether threats are real and/or critical, but also what they should be doing and who they should call.  

In your opinion, what is the most important piece of cyber resilience for operational technology organizations?

Willi:It's all about awareness. The leadership, including boards and executives, is starting to have more awareness of their manufacturing facilities and operations. Security is becoming everyone's problem. I think from an OT perspective, it's back to partnering with your operation centers so they know what threats are real and what's not. Automation engineers are extremely smart and very capable, but typically, operation centers don't communicate with them. It is crucial that communication opens up between automation engineers and operators to determine an appropriate response. To some extent, it's people, process, and technology, which goes back to fundamentals. We have to communicate and understand what is being dealt with. For example, if I do X, how does that impact the business? The process has to be dynamic. As threats change, your response plans are going to change as well.

How can an organization gain more control and mitigate risks to improve their cyber resilience?

Willi:From an inventory perspective, it starts with knowing what assets your organization currently has. Without visibility into your current assets, you can't know what your inherited vulnerabilities are for example. If you have an asset that has never been patched, and it's not on your list of current assets, you're never going to get to it. When dealing with new vulnerabilities, you should ideally have visibility into all of it. You should be aligned with the business and operations, your architecture and engineering teams should be talking, and you should be partnered with security vendors. Once you've achieved this, you have progress. 

What does successful cyber resilience look like in your opinion, relating to business continuity plans?

1. First and foremost, partner with the business. You need to know what the impact is to the business, and if you are willing to take that risk.
2. Then, going back to the fundamentals of communication, it's important to make sure your teams, small or large, are functional. These players need to be prepared.
3. Lastly, once you have a workflow, you need to be dynamic and able to adapt when necessary. You need to understand that threats are going to change, and will come from a direction you aren't prepared for-- that's the nature of the business. "Train the way you fight, fight the way you train." Everybody needs to be ready to help each other. 

When thinking about cybersecurity solution investments going forward, what are recommendations you would give to OT leaders?

Willi:When discussing solutions with OT leaders I usually mention some of the core items which can help build a foundation for the future. For example, I encourage them to consider segmentation to help control OT/IT convergence as it gradually increases. In addition, regardless of the state of current cybersecurity planning, it is important to remain focused on a journey to integrate disparate products into a platform approach, a cybersecurity mesh platform. Also, OT organizations should incorporate zero trust network access (ZTNA) into cyber plans. Even if not all employees are working remote, ZTNA has cybersecurity benefits across the extended network.