A successful OT security program starts from the top – which means cybersecurity professionals must know how to communicate effectively with executives and board members. In such a technical space, however, achieving understanding and alignment can be tough. How can OT teams get the buy-in they need to successfully protect the business?
We asked two of cybersecurity’s most accomplished leaders that exact question in our recent webinar, OT Cybersecurity Strategies for Executives. Dawn Cappelli, CISO at Rockwell Automation, joined Dragos CEO Robert M. Lee for a wide-ranging conversation on the best strategies for connecting leadership to OT initiatives. Watch the webinar for some truly fantastic insights, or read on for the recap.
How to Achieve Executive Buy-In
We kicked off the webinar by establishing why executive alignment is so critical. When cybersecurity strategies come from the bottom up, teams tend to address them with the resources that they have. As a result, many efforts aren’t resourced correctly, which opens the organization to tremendous risk. It’s also difficult to scale. Getting every plant manager educated and on board is rarely realistic, while putting the responsibility on leadership enables a top-down approach.
How can ICS teams help executives understand the risks and rewards of OT security? Dawn recommended using real-world scenarios. “Leaders in those environments know exactly how much money each plant makes each day. They know that if a plant is down for x days or weeks or months, that’s going to cost us this much money. So it’s very easy to talk to them in those terms and get them to buy into an OT security strategy.”
Dawn also emphasized the importance of empirical data. Nothing makes an impact like hard numbers. To demonstrate the consequences of OT security failures, look into the SEC filings of companies that were hit. See how long each plant was down and how much it cost.
Rob built on Dawn’s suggestions with ideas for how to educate your Board and make them aware of the company’s current state. “Most businesses do not have a good awareness of where they are in their current OT security posture,” he explained. “One of the big reasons for that is that we have to force the discussion of IT vs. OT.” Communicate to the Board how IT and OT are different. Help them understand that the organization has been focused on reducing IT cyber risk while under-serving OT – the side of the house that actually generates revenue – and that it’s now time to course correct. Go past metrics to risk analysis, brainstorming the scenarios that could lead to failure and the resources required to prevent them.
What if your team culture tends to hold back information from the Board? Tell them anyway. Rob warned, “If you’re a CISO and you’re NOT digging into the OT side, you’re going to lose trust fast. Every board has OT security on its agenda, and if the CIO or CISO doesn’t bring it up, they will lose a massive amount of trust.”
5 Critical Controls for OT Cybersecurity
You’ve got the buy-in – now what? Once the C-suite and Board are educated and aligned on the risks and necessity of OT security, consider your package of controls.
Rob suggested asking executives for a top to bottom list of the most important sites in the company. That list will act as a prioritization tool, enabling the teams to work together to decide what systems and locations to focus on first. Use the scenarios generated in the initial conversations to establish how much priority each site should receive and how to balance operations across prevention, detection, and response. What you learn from the “A” sites, you can then apply to the “B” and “C” sites.
What should the package of controls include? According to Rob and Dawn:
1 | A defensible architecture, whether through firewalls or software defined networks, with the ability to get access into and insights from the environment.
2 | Comprehensive visibility and monitoring to cover inventory, topology, vulnerability management, threat detection, and system to system interactions.
3 | Multi-factor authentication, “anywhere and everywhere you can put it.” Multi-factor authentication (MFA) is one of the few IT controls that can be appropriately and relatively easily applied to OT.
4 | An ICS-specific incident response plan. Unlike MFA, your incident response plan can NOT be copied and pasted from IT, but must be dedicated to the OT environment. You need to know which people with which skill sets need to be inside the plant when something happens.
5 | Collaboration between IT and OT. Last but not least, and at the top of Dawn’s list, IT and OT must work together at the people and technology levels. While this collaboration isn’t easy – more on conquering the IT/OT divide here – it is critical to lasting security success.
By communicating and aligning with company leadership, cybersecurity professionals can ensure that both IT and OT get the resources they need to keep the business secure. Watch the webinar for more great ideas from Rob and Dawn, or request a demo to learn how Dragos can provide industrial-strength cybersecurity at your organization.
Ready to put your insights into action?
Take the next steps and contact our team today.