OT Security Risks of Taking R&R Approach

28
OT Security Risks of Taking R&R Approach

Integrating OT technology can provide organizations with a competitive advantage in securing their infrastructure and adding business value. However, not knowing how to address security risks associated with it if taking an R&R approach, can expose the organization to multiple cyber risks.

With operational technology (OT) increasingly integrated into the information technology (IT) networks, the complexity and risks related to systems have surged that have long been neglected to ensure security. In fact the vulnerabilities in OT devices alone have increased to 46% as per “Vulnerability and threat trends mid-year report 2021” from Skybox Security. Not only that but the addition of thousands of industrial internet of things (IIoT) devices for instrumentation and sensing will further aggravate these challenges at an exponential rate.

Also Read: Three Strategies for CISOs to Mitigate the Impact of Ransomware Attacks

The risks associated with cyber and operations further exacerbate them. Instead of responding to these growing threats with enough thought, many organizations adopt an R&R (react and rush) approach.

As per industry experts, many organizations adopt the R&R approach, where they wait for incidents to occur before they do and rush to identify a solution. This approach is due to lack of awareness of OT security risks, as well as prioritization of the other investments that are focused on increasing productivity instead of securing their infrastructure. Taking such measures also leads to organizations reacting then rushing to address the security challenge or respond to a corporate or a regulatory mandate that can have drastic consequences. Additionally, continually operating on an R&R approach can also have substantial economic or long-term impacts. Hence, it is crucial for IT leaders, specifically CISOs, to understand the R&R behaviors and the consequences of adopting this approach.

Here are a couple of major OT security risks that they should be aware of associated with R&R:

Leads to wrong investment

In an effort to mitigate the effects of the cybersecurity incident, many CISOs immediately rush to purchase a solution to think small and overlook the major factors. It’s human nature to make decisions that are tactical as opposed to strategic ones. This leads them to take initiatives that only address the challenges they are facing at the moment and shadow the ones that can yield them medium and long-term benefits, while addressing bigger problems in the future. Rushing to make a purchasing decision, thus, will lead them to select a solution depending on what functionality it does or does not possess. In this process, they often forget to factor in other critical criteria, such as the ability of the solution to scale or the long-term supporting capabilities of the vendors.

Also Read: How to look for a Dependable Security Expert

Restricting OT security projects to small pilots

Many organizations are guilty of only investing a limited amount of dollars to their OT security and only proceeding with smaller pilot projects. This is often due to the fact that many of them fail to see any value in scaling the project from the outset. They also lack the necessary concrete and measurable project objectives and KPIs. Hence, before proceeding to measure the success of a project, organizations should have a clear scope and well-defined strategic objectives involving cybersecurity. Otherwise, they will end up abandoning the project with the security gap and attack surface that will remain wide open.

With the immense pressure to embrace modern technology such IT, OT, and IoT devices, to gain a competitive edge in the marketplace it is quite understandable that errors may occur. However, upfront thought processes, strategic planning, and patience will go a long way in assisting the organizations in gaining the benefits while preserving the security of the business and customers depending on them.

For more such updates follow us on Google News ITsecuritywire News