Back to Basics around OT Security

Back to Basics around OT Security

Data may be “the new oil” for the manufacturing world but it cannot be taken for granted

This interesting piece in the Journal of Petroleum Technology made me think, not least because it does not mention in any way the data security imperative that needs to be at the heart of any data-driven digital transformation process.

I have not written much around OT security, but it keeps coming across my desk, and it is undoubtedly one of the hot topics of the moment, with countless tech vendors jumping on a band wagon they assume will be lucrative.

If we were to play the prediction game, I would argue this will be a hot topic for the years to come, given the level at which security maturity levels appear to be in some industries.

Back in 2021, I was concerned with the IT/OT convergence and the threat level this was introducing to previously isolated OT environments, that were otherwise more difficult to secure given their specificities. I was also concerned about the lack of integrated governance across IT and OT worlds, preventing a coordinated response to increasingly common threat agents and attack vectors.

I think those concerns are still relevant, but they seem to be underpinned on the OT side by a worrying lack of understanding around those threats.

Data is a vulnerable asset, whether collected by industrial sensors, payment systems or any type of business platform.

The minute you start basing business decision on data-driven analytics, of course, data quality becomes paramount, but you need to go beyond a generic concept of “quality” and understand what its constituent parts are, in particular in terms of availability, timeliness and accuracy.

These concepts underpin the I and the A of the well-known CIA triad in the IT world (Confidentiality-Integrity-Availability) and they need to be recognised and accepted as security concepts in the OT world as well.

The need to protect the integrity and availability of data should not be seen as alien to a data-driven digital transformation programme.

It should be seen as an integral part of it, requiring the adequate deployment of protective measures in relation to the threats the industry might be facing.

There will be – of course –  variations from one sector to another, but in particular when it comes to critical national infrastructure protection, those aspects are essential and cannot be just an afterthought.

To be successful, all this requires a sound appreciation of the threats involved, and the way they have been developing over the past decade – and continue to develop.

Industrial sensors and devices collect more data than ever; they are connected to communications networks that are faster and more reliable than ever; the ability to process this data at speed and at scale is greater than ever and is being augmented even further by the development of machine learning and artificial intelligence models: This is the reality of the current OT world.

But networks can be slowed down or made to fail by DDOS attacks; machine learning models can be rendered inaccurate by poisoned data, maliciously or inadvertently: This is also the reality of the current OT world.

Senior executives in that space need to wake up to this new reality and accept it.

Going back to the industrial example we started from, data may be “the new oil” for the manufacturing world but it cannot be taken for granted.

It needs to be protected as a valued and valuable asset, and this will probably require a shift in mindset for some.

Have Your Say: