IT/OT cybersecurity is the protection of Operational Technology (OT) used for process control. In the Purdue Model this relates to the protection of industrial operations at Levels 0-3, but in practice relates primarily to the process control level, the local control room and DMZ.
Cybersecurity investment tracks with industrial transformation
The sector is going through a period of significant change. Industrial Operators are transforming security operations in response to the increasing connectivity and automation of industrial operations, and the associated risk of exposing previously air-gapped systems to the internet. This has resulted in asset owners allocating a higher percentage of cybersecurity expenditure on the protection of OT, growing from 17% of total industrial cybersecurity expenditure in 2019, to 22% by 2027.
Investment drivers include the increasing digitalisation of operations, the current threat landscape, and changing regulatory conditions.
Digital Transformation is a strong driver of cybersecurity investment. High technology industries, including semiconductor manufacturing and some automotive operations, are characterised by high levels of automation and advanced cybersecurity programs. Other industries are modernising, and as the adoption of digital twins, edge computing and AR/VR becomes more widespread, cybersecurity investment will increase. 5G and the Industrial Internet of Things (IIoT) will have a significant impact on industrial operations by the end of the decade, greatly increasing connectivity and the interdependencies between industries and supply chains.
Threat & Vulnerabilities. There is a significant amount of intelligence that points to a high and persistent threat to critical infrastructure and global manufacturing operations. Researchers identified new threat groups in 2021 whilst asset owners’ perception of the threat increased as ransomware attacks escalated. The number of known vulnerabilities has also grown significantly in recent years with more than twice as many published in 2021 than 2020. Increasing knowledge of the threat, and a better understanding of the risk, has resulted in greater investment in cybersecurity. Nevertheless, many security programs are still at the early stages of implementation and as threats evolve, asset owners will need to adapt.
Recent Security Incidents have raised awareness amongst executives of the consequences of an attack on operations and business performance. Colonial Pipeline (Oil & Gas) and JBS (Food & Beverage) resulted in financial loss, operational disruption including to both supply chains and customers, and reputational damage. Headline hitting security incidents often lead to peers reviewing their own risk strategy, leading to investment in cybersecurity programs. A reduction in security incidents is not expected in the near term and the resulting headlines will encourage executives to continue to modernise.
Regulation is strengthening internationally, nationally and in vertical markets. The EU NIS2 Directive expands the coverage of the existing regulation and aims to increase regulatory powers to drive compliance. There is also a trend towards the tightening of National Laws, for example the German IT Security Act 2.0, mandating the use of technologies and services to protect national infrastructure and other critical industries. Finally, vertical market specific regulations and standards will influence cybersecurity programs. For example, UNECE WP.29 forms part of a process to improve automotive resilience which requires each OEM to implement a Cybersecurity Management System to be operational by mid-2022. This will be rolled out to Tier 1,2 and 3 vendors who will need to show compliance at later dates. The result of UNECE WP.29 will be an end-to-end approach to security, ensuring that risk is understood, controls are implemented, and threats actively monitored across the automotive supply chain. Westlands Advisory expects greater use of threat detection, improved implementation of OT best practices and a greater focus on Software Bill of Materials (SBOM).
Security destination might be known but getting there is not easy
Despite growing investment, cybersecurity maturity is still low when measured against the most often implemented standards.
The NIST Cyber Security Framework (CSF) is the most widely quoted standard followed by IEC 62443 and CIS Controls. NIST CSF maps key security requirements to five functions; Identify, Protect, Detect, Respond, Recover. This requires asset operators to move from an over-reliance on protective technologies to adopting a cybersecurity strategy based on operational resilience. This in effect requires organisations to identity and manage assets, segment networks, and to be able to detect and respond to threats quickly to minimise the impact of a cybersecurity incident.
However, it is not always possible for risk leaders to secure the funding. Boards still view cybersecurity as a cost rather than an enabler of change and therefore many security programs will evolve over several budget cycles. Westlands Advisory interviews with operators and service providers discovered that many asset owners are managing a variety of firewall brands, using different policies and configurations, and that the immediate priority is to establish common policies and network segmentation. Whilst the early adopters have implemented asset management and threat detection processes, most asset owners are somewhere between the start of their security program and midway through updating and implementing basic security controls to achieve a strong and consistent baseline across their infrastructure.
Organisational structures and priorities in large, diversified operations also act as a barrier. The OT engineer’s priority of safety, reliability and availability of operational systems does not always align well with cybersecurity policies and processes, requiring common Governance, Risk and Compliance policy across the business. In large, complex organisations, alignment takes time.
An era of investment, technology innovation and partnerships
Although investment and implementation challenges can be significant barriers to change, the IT/OT cybersecurity industry is currently going through a period of heightened private investment, innovation and ecosystem development. Notable themes include;
An increase in the number of vendors providing IT/OT Security Platforms with an expanding range of technology use-cases and integrations.
Managed Service provider investment in OT Security Operations Centres to compliment IT SOC/NOCs, delivering OT network visibility, monitoring and threat detection with incident response support.
The development of OT Security Innovation Centres by service providers, with digital twins and simulations to test new products, systems and services.
High investment in Risk Management and Scoring, providing end-users with the tools to quantify and prioritise operational risk.
Increasing levels of Security Automation and Orchestration related to compliance, zero trust, Software Bill of Materials (SBOM) and security operations.
The future direction is clear but the path uncertain
Investment in cybersecurity will increase across the NIST CSF’s Identify, Protect, Detect, Respond & Recover categories. Westlands Advisory expects that by 2027 the majority of industrial operators will have moved from a protective only security posture to proactively identifying security threats. There will be greater integration between IT security operations and OT, with specialist teams working collaboratively across either the on-prem or remotely managed Security Operations Centre. There will also be a step change in supply chain resilience, with more mature security approaches to third party access of machines. All of this is known.
What we don’t yet know is how the course might change over the next 5 years due to either known or unknown events. COVID-19 highlighted that a single event can have a significant impact on global systems, resulting in changes to cybersecurity policy, strategy and investment. COVID-19 accelerated the remote access trend, bringing forward expenditure on zero trust technologies that resulted in a range of new products. In the next 5 years it remains uncertain how other events may impact OT cybersecurity investment. Some of these include;
To what extent will current geopolitics increase the cyber threat and how will this change CISO’s expenditure plans?
Will trade patterns continue to shift leading to significant regional differences in cybersecurity ecosystems?
How will changes to industrial insurance policy impact investment on cybersecurity programs?
How will cybersecurity regulation evolve across countries and industries, and how strongly will it be enforced?
What will be the future status of the sovereign cloud and implications for processing industrial data?
How quickly will 5G impact manufacturing?
These are a few of the bigger picture questions to consider when evaluating the future of OT cybersecurity. If you are a CISO or a vendor and are interested in views on the current and future status of the industry, then contact Westlands Advisory for a 40-minute briefing.
About the research
WA is due to release its latest work on OT Cybersecurity on March 31st 2022 following a review of asset owner challenges, investment priorities, and vendor solutions and services. The work for this project started in September 2021 and follows on from previous work on OT security. The analysis provides a review and forecast of industry investment by technology and service, region and vertical market segment. WA has also conducted an in-depth review of vendor and services providers. For further information contact email@example.com