By Steve Hunter, Forescout senior director, systems engineering Asia Pacific and Japan
Operational technology (OT) infrastructure is changing faster than ever before. The capabilities in this space are rapidly evolving thanks to our always-online world, with new ways to control operations, increase efficiency and streamline processes. As these cyber-physical systems emerge in critical infrastructure environments, a new, niche OT cybersecurity market has developed and is now in a transitional state as traditional OT management, governance, infrastructure and security become more and more influenced by IT.
With the increase in convergence between IT and OT, new risks are emerging that can have major impacts on Australian and New Zealand companies, particularly for critical national infrastructure providers. Urgent, proactive strategies are needed to ensure OT cybersecurity develops to the same maturity as IT cybersecurity.
With rapid IT-OT convergence expected over the next few years, Forescout has identified five ways the OT cybersecurity market will change in 2020.
1. New mergers, acquisitions and strategic partnerships will cause market volatility
The traditional OT security market is niche and mature, with focused products that address legacy industrial platforms and networks. As these legacy systems evolve into cyber-physical systems, their security becomes strategically important for both OT and IT stakeholders. To meet the demand for comprehensive cybersecurity solutions, notable acquisitions and strategic partnerships in traditional OT security products are accelerating.
According to Gartner, by year-end 2023, security and risk management leaders will need to adjust their OT security solutions, because 60 per cent of today’s point solution OT security providers will have been rebranded, repositioned or bought, or will have disappeared. This makes long-term planning increasingly difficult, but not impossible. The transitional state of the market makes it a wise idea for security leaders to reassess their OT security vendor landscape to take these market dynamics into account.
Related article: IEA: Global emissions flatlined in 2019
2. Disruptionware will increasingly target OT networks
Organisations are increasingly concerned that their core operations are under constant attack. The web of networks that hold many business operations together also increases potential entry points for malicious actors to launch disruptionware, a new breed of attack that usually includes ransomware, but also reaches more broadly to include disk-wiping malware and other disruptive malicious code. Disruptionware is about more than just preventing access to systems and data. It’s about suspending core business operations, which makes OT networks a prime target.
This predicament will further fuel the drive to increase network visibility and implement continuous monitoring solutions to reduce the risk of being affected by attacks like this. New threats and exploits are being discovered every day, with databases of vulnerabilities growing exponentially, keeping cybersecurity teams incredibly busy.
3. Demand for OT security services will increase
Since OT cybersecurity will likely become a top priority in 2020, many organisations will have difficulty expanding their security budgets to the level needed to employ enough people to monitor and respond to cyberthreats in-house and also may have difficulty finding employees fit for the job, since there’s a significant cybersecurity skills shortage in Australia and New Zealand. As enterprises start to realise the extent of this skills shortage and their budget gaps, it will lead many outsourcing those responsibilities to other firms specialising in OT cybersecurity.
Organisations should be thorough when evaluating a services provider, as there are many different levels of OT security expertise out there. Some have a strong OT heritage and excel in certain verticals, while others are core IT service providers taking a first stab at venturing into the OT realm. Because of the critical nature of OT security, proof-of-concept (POC)-based security services should be carefully evaluated and include input and coordination from all relevant teams.
4. Security leaders will increasingly blend passive and active OT security techniques
For many years, most OT security practitioners shunned active solutions, based on the well-founded fear that touching sensitive OT networks could compromise operational stability. To ease OT operators’ worries, most OT security tools operated passively up until recently by simply listening to traffic on the network without direct interaction with endpoints.
As vendors advance their OT-specific active capabilities, security leaders are becoming more comfortable with active methods and are starting to blend passive and active security techniques for deeper asset visibility and easier compliance with regulatory standards.
Related article: A new approach to manage evolving risks in gas turbine technology
5. OT cybersecurity regulations will continue to increase
Governments globally are increasingly concerned about security threats to OT networks, especially if that network supports a critical infrastructure function, like providing electricity or clean drinking water to citizens. Examples of recent efforts from the Australian government to heighten security oversight of critical infrastructure companies include the passing of the Security of Critical Infrastructure Act 2018, which imposes new obligations on operators and owners of critical infrastructure assets, including Australia’s high-risk major ports and electricity, water and gas utilities.
An excellent example of guidance on uplifting security in critical infrastructure is the Australian Energy Sector Cyber Security Framework (AESCSF), which is a pragmatic approach to self-assessment and building an internal program for cyber security maturity improvement.
To help lessen these compliance burdens, many organisations will seek out and deploy OT security technologies in 2020. During these proof-of-concepts, companies should structure their requirements in a way that will accurately assess an OT vendor’s maturity and suitability for meeting the guidelines from a particular regulation.
Steve Hunter said, “In order to future-proof OT security strategies, it is essential to build fluid OT cybersecurity systems that let businesses adapt to ever-changing OT infrastructure and government regulations.”