COMMENTARY

The boards of directors of organizations play a crucial role in overseeing the strategic risks associated with their companies, particularly in sectors that involve high-risk operational technology (OT) environments, such as the energy, transportation, manufacturing, and production industries. These industries rely heavily on OT, which comprises the hardware and software that controls physical processes and devices, to maintain safe and reliable operations, making them highly concerned about the potential consequences of cyberattacks. However, understanding and managing cyber-risks in OT systems can be complex for boards due to the unique cyber-physical nature of OT and its integration with information technology (IT).

The Primary Obstacles Boards Face in Evaluating OT Risks

One of the significant challenges that boards encounter is the substantial gap between OT specialists and board members. Individuals with in-depth OT domain knowledge are often positioned too far down the organizational hierarchy to directly influence board-level decisions. This disconnect can lead to a lack of awareness and understanding of risks at the highest levels of the organization.

Additionally, the chief information security officer (CISO), who is typically responsible for managing enterprise cybersecurity risk, often lacks the specific expertise and training needed to manage cyber-risks in OT environments. OT systems have distinct security vulnerabilities that differ significantly from those of traditional IT systems. This can result in OT cybersecurity being misunderstood, understaffed, and underfunded, despite the potentially catastrophic impact of an OT cyber incident.

To gain a comprehensive understanding of OT risks, boards may consider appointing a dedicated OT cybersecurity leader to collaborate closely with the CISO. This role would have executive-level visibility, as well as the authority and resources to assess and manage OT security risks effectively. Just as companies have dedicated leaders for managing environmental health and safety risks (EH&S) or financial risks, they also need specialized leaders for OT security. More companies are recognizing this need and are creating dedicated roles for OT cybersecurity leaders, signaling a positive shift in prioritizing OT security.

Three Key Strategies Needed for Effective Decision-Making in OT Environments

Effective decision-making begins with recognizing that the consequences of an OT security breach are notably different from an IT security breach. While an IT breach might compromise data and financial assets, an OT breach can have severe consequences, including physical damage to equipment, disruption of critical processes, and even health, safety, and environmental impacts.

To address these challenges, organizations must consider adopting a risk-based approach to OT cybersecurity. This involves following industry standards for OT risk assessment and management, such as the ISA/IEC 62443-3-2 standard, which provides guidance on partitioning OT systems into security zones and developing credible risk scenarios.

By developing and analyzing risk scenarios, organizations can identify and prioritize the most serious threats to their OT environments. These scenarios can be ranked based on their likelihood and potential impact, using the same scale the company uses for ranking other risks, ensuring consistency and allowing the board to understand the relative importance of different risks in a broader organizational context.

How to Achieve Strategic Cyber-Risk Management Across the Organization

Boards of directors that recognize the need for separate but aligned programs for IT and OT cybersecurity, each led by their respective experts, will be able to address the specific characteristics and risks associated with each domain. IT security focuses on protecting data confidentiality, integrity, and availability, while OT security prioritizes safety, availability, and process integrity.

To confirm effective oversight and governance, boards can establish an OT Cybersecurity Governance Committee. This committee may include key executives from operations, engineering, IT, and finance, fostering cross-functional collaboration to ensure that OT cybersecurity is integrated into the organization’s overall risk management framework.

The Board’s Role in OT Security

Boards and senior management must proactively address the growing cyber-risks in OT environments. This requires a multifaceted approach, beginning with appreciating the unique challenges and risks associated with OT cybersecurity, including understanding the potential consequences of OT breaches and the importance of dedicated OT security leadership. Organizations will need to invest in building internal OT cybersecurity expertise and/or partnering with specialized external providers. This includes hiring skilled professionals, providing ongoing training, and leveraging external resources when needed.

The next step is to develop a comprehensive OT cybersecurity program that includes elements such as risk assessments, vulnerability management, incident response planning, security awareness training, and continuous monitoring. The program will foster collaboration between IT and OT by sharing information, aligning security policies, and coordinating incident response efforts. With an evolving threat landscape, it’s essential to regularly review and update the OT cybersecurity strategy to confirm it remains effective, focusing on emerging threats, vulnerabilities, and best practices.

By taking these proactive steps, boards can improve their organization’s resilience against cyberattacks and protect their critical OT assets. Specialized firms can provide valuable guidance and support in navigating the complexities of OT cybersecurity, helping organizations align their security processes with business goals and achieve their desired security outcomes.

Boards of directors have an essential role in overseeing and managing cyber-risks in OT environments. By understanding the challenges of OT security, investing in dedicated expertise, and adopting a strategic and proactive approach, organizations can strengthen their defenses and safeguard their critical operations from the growing threat of cyberattacks.