Westlands Advisory’s ‘Global OT Cybersecurity Industry Analysis’ reported investment in OT cybersecurity services increased by 15%[i] in 2021. This is expected to continue over the next few years due to ongoing industrial digital transformation and the current low level of cybersecurity maturity. Whilst early adopters are optimising security programs, the majority of Industrial Operators are still at earlier stages of the cybersecurity lifecycle, characterised by low levels of digital asset awareness, inconsistent and poorly applied governance, and limited security controls. This is starting to change as organisations increasingly connect and digitalise operations, resulting in growing investment in services to assess risk, develop the security strategy, implement the controls, and manage the cybersecurity operation. Asset operators and risk leaders are faced with choosing a security partner from a growing number of service providers.
Digital Transformation of Operations
The digitalisation of industrial operations is advancing quickly. Whilst it is a truism that industrial operations are built to last 25 years and change is slow, it is also a fact that during the lifetime of a plant, sensors and controls are replaced to improve reliability and productivity. Digital products are creeping into brownfield manufacturing operations whilst newer sites are already connected and highly automated.
The pace of change is unlikely to slow over the next decade. Industry projections point towards annual growth of around 15% for industrial software and IIoT (Industrial Internet of Things) platforms. Yokogawa reports that 64% of industrial operators will reach the highest level of autonomy by 2030, up from 15% in 2023. Siemens predicts that 34% of organisations will have digital twins in productive use by 2023. A SANS[ii] Institute survey in 2021 highlighted the growing use of the cloud for OT applications, including remote monitoring of operations and access for third party managed services. Combining and synthesising all of the available research and opinion highlights a manufacturing journey towards self-optimising systems enabled by autonomy, 5G and cloud computing.
A key enabler of industrial transformation is cybersecurity. The era of the industrial system that is not connected to the internet has long since passed. This requires organisations to elevate cybersecurity from an afterthought to a strategic priority where security is a cornerstone of product development, manufacturing processes and supply chains.
Risk and Security Maturity
However, investment in digital programs can get ahead of security. In industrial markets, investment in the safety, reliability and availability of industrial systems has not always included security. There is a myriad of reasons why an organisation falls behind on its security program, from the often quoted “if it ain’t broken, don’t touch it” mentality, to the long-life cycle of industrial systems, and leadership disinclination to invest.
As noted in an earlier WA paper, “most asset owners are somewhere between the start of their security program and midway through updating and implementing basic security controls to achieve a strong and consistent baseline across their infrastructure.” The previously mentioned SANS Institute paper provides an insight into current market maturity related to People, Process and Technology. According to the research, 24% of organisations have no formal process in place to detect threats in OT networks, whilst only 30% are using anomaly detection engines. By extension it is reasonable to assume that the majority have therefore not accurately mapped their assets. This is supported by a Ponemon Institute[iii] survey that reports only 29% of organisations have a complete inventory of IoT/OT devices.
There are signs that industrial operators are moving in the right direction. The SANS survey highlighted that security had risen to the second highest business concern in 2021 (46% of respondents from 39% two years earlier). Additionally, in 2019, 59% of organisations relied on internal resources for incident response, a high skilled process which many industrial operators are unlikely to be able to execute by themselves. By 2021 this had dropped to 44% as organisations increased investment in outside services.
WA’s work supports these conclusions. Discussions with industrial operators, service providers, and technology vendors points to the majority of industrial organisations at the early stages of their security programs, somewhere between Developing and Intermediate. The typical industrial operator has not clearly outlined roles and trained staff or adopted a company wide cybersecurity policy, and is not proactively monitoring OT threats.
Industrial Cybersecurity Maturity Lifecycle
Growing Choice of Partners
Industrial Operators will require support as they increase program maturity yet finding the right partner amongst a diverse and expanding list of OT security service providers isn’t necessarily straightforward. In many cases service providers have similar messages and capabilities. Before diving into discussions WA recommends that Industrial Operators create a short list of potential partners that are most aligned with the characteristics of their business. Is the requirement national or international, with a single site or multiple sites? Is the business driven by strict regulatory compliance? Is the need purely for OT network segmentation and threat detection, or is there a requirement to address security on the plant floor and across the manufacturing site? Is the requirement to implement basic security controls or is it part of a transformational manufacturing project?
The answer to these questions will guide Industrial Operators towards a set of providers that will be more suited to addressing their challenge. For example, a regional utility operating in a highly regulated market with a clear requirement to understand its assets and to monitor OT network performance and threats, should consider an OT specialist with a local presence and strong knowledge of the vertical and related regulatory requirements. Conversely, an international Food & Beverage firm seeking to standardise its global cybersecurity strategy across its operations and supply chain is likely to require a partner that can manage large transformational projects, provide 24x7x365 monitoring globally whilst also offering localised support.
Industrial Operator Supplier Capability Considerations
The strengths and capabilities of different service providers are generally determined by the origin of company. These service providers tend to fit neatly into the following categories.
Professional Services Firms: consulting expertise at scale, offering a full range of services globally
Engineering and Cyber: industrial operating experience and strong OT security knowledge
Industrial Automation: industrial control system expertise with an expanding range of cybersecurity services to address converging IT and OT operations
Telcos: Industrial IT network monitoring and threat detection with growing OT security credentials
IT Services Firms: combining strong IT security expertise with experience of designing, monitoring, and implementing industrial operations
Cybersecurity Services Firms: security specialists with strong IT security capabilities that have evolved services to include OT
These companies provide customers with the end-to-end security services needed to help their partner deliver against IEC 62443, NIST CSF, CIS Controls or equivalents. Investment in people and capabilities is also growing amongst these firms, characterised by expanding services, OT competency centres and product innovation.
Security Service Provider Investment Trends
Industrial operators looking for a partner that can help them move from the “Developing” stage to an “Advanced” security program should consider organisations that are able to provide a range of services.
Governance & Risk Management which includes the client risk assessment, standards adherence and creation of cybersecurity policies in relation to the business objectives.
Assessment & Assurance to test the resilience of the operation and includes penetration testing, red-teaming exercises, and threat assessments. OT specific cyber ranges are used for both assessment & assurance, secure-by-design and staff training.
Advisory services to overcome challenges. Use cases includes SOC operations, threat intelligence, incident response planning, remote access management, deploying new manufacturing processes securely, and staff training and awareness programs.
Secure-by-Design to build cybersecurity into the engineering process to ensure that the product is safe and secure throughout its lifecycle. Use cases may include designing of sensors or machines for use within a manufacturing process.
Systems Integration is the deployment of security controls and handover to the asset owner.
Managed Security Services providing remote monitoring and management of security through a single or networked set of Security Operating Centres (SOCs) usually providing a 24x7x365 service. This includes the controls and configuration management and threat detection. Advanced models include threat hunting and incident response that require the partner to have a strong understanding of industrial networks and processes.
About the Research
WA has released its latest work on OT Cybersecurity following a review of asset owner challenges, investment priorities, and vendor solutions and services. This article relates to a review of cybersecurity service providers. For more information contact Westlands Advisory at info@westlandsadvisory.com
[i] Westlands Advisory’s “Global OT Cybersecurity Industry Analysis” [ii] SANS 2021 Survey: OT/ICS Cybersecurity [iii] Ponemon Institute “The State of IoT/OT Cybersecurity in the Enterprise”