Last year, cyber threats were named the fourth most common concern among CEOs. Today, they go right after the pandemic and health crisis. The reason behind this is OT and IT convergence as a prerequisite of going digital. Building remote monitoring infrastructure through the IoT and digital twin technology implies exposing physical facilities to IT networks. Vulnerabilities are inevitable in this scenario, as most OTs were simply not designed with Internet security in mind.
Here we will investigate what to focus on while getting prepared for the worst and what measures will prevent loss of business due to cyber attacks.
Securing people as the first frontline
Eighty-four percent of respondents from the utility industry believe that the most common cause of cyberattacks is employees’ actions. With this in mind, it’s advisable to build a culture of internal monitoring and focus on preventive measures.
Invest in education and employee training
- Send weekly employee newsletter with clear instructions on cybersecurity, reminding about the risks and action protocols.
- Organize regular educational sessions on cyber policy and procedures. Such things as “never share your log-in credentials with anyone” or “do not leave any internet devices unsupervised” must be emphasized, along with explanations of what the consequences can be.
- Make sure your employees are resistant to phishing by sending reminders and showing examples of such emails. It’s especially relevant for payroll staff during the winter holidays.
- Run emergency training. Check how your executives and employees act during a simulated data breach, find their weaknesses, and focus on them during the next educational sessions.
These actions will ensure security stays at the forefront of your employees’ minds.
Ensure strict access control
- Create clear protocols and frameworks for data access based on the principle of least privilege. Ensure employees’ access is exactly what they need to carry out their direct responsibilities, no more, no less. Once their access time expires, make sure their session terminates automatically.
- Apply UEBA (user and event behavioral analytics). It’s a technology based on statistics and machine learning which determines “usual” behavioral patterns for everyone who deals with the system. Once there’s an anomaly like access from an unknown device or location, the algorithm sends an alert signalizing there might be a data breach.
- Implement multi-factor authentication. Passwords can be easily hacked, shared with other people, so they can’t be the ultimate means of protection. Leverage confirmation calls or messages with one-time codes, biometric authentication, or passphrases.
Managing processes and security governance
If people are a random factor that needs to be organized, measurability and predictability are elements that should underlie any business process. To avoid cyber – attacks, we recommend taking] the following actions:
Create separate security guidelines for IT and OT
It’s vital to set security priorities based on the specifics of your organization and processes. For instance, IT security requires a system to be automatically reset in case of unauthorized access. But it may be unacceptable for OT security reasons, as it causes inconveniences to employees who are using connected devices.
Develop a flexible yet consistent management system
It’s advisable to create a single source of verified data, including each employee’s duties and prescribed security frameworks along with potential penalties. Appoint managers who will check compliance with this documentation and ensure they stay on top of all processes concerning security.
Build security governance
Analyze threats and vulnerabilities and build security governance activities around them. Develop ERM (enterprise risk management) policies and assign concrete actions for both staff and executives to protect the organization’s digital assets. Such questions as “What is security governance?” or “What is its value?” from employees are the first sign you should go back to the first step and invest in education.
Hire a professional security team
When it comes to security, shared responsibility between IT and OT teams is not viable. While putting a qualified chief security officer in charge of cyber, physical, and supply chain security is a decision 50 percent of organizations are likely to take by 2025.
Carefully manage third parties
Ensure the vendor you’ve partnered up with has a strict security policy that matches your requirements. First, it must be a company of tech professionals with proven expertise in protecting their in-house data. Second, they must legally confirm they take responsibility for the safety of the data you grant them access to.
Protecting data at the organizational level
The data we are talking about is not only IT data but also operational and personal. In this context, cybersecurity for business should be based on the CIA triad:
- Confidentiality (access to information for authorized parties only)
- Integrity (no data modifications during its upload, transition, and storage)
- Availability (authorized users can easily access all data when there is a need)
To give secure access to authorized users, implement the following:
Keep systems up-to-date
Regular automatic updates of security patches without interrupting OT. The industry dictates its rules: unlike IT companies, you can’t simply shut down a system to restart it and install the updates, as operations are constantly in progress.
There must be redundant counterparts for essential system components that can go offline for updates while the system stays active, which is crucial for business continuity. Cyber attacks can often be prevented with just one timely update, so don’t ignore security alerts.
IDS/IPS (Intrusion Detection System/Intrusion Prevention System) analyses suspicious network activities and blocks malicious requests or compromised IPs. IDS instantly sends alerts to security teams and enables them to quickly respond to a potential threat and activate risk management protocols.
Leverage IP and application whitelisting
Instead of trying to protect your system from any potential unauthorized access, there’s an option to create a list of trusted IP addresses and apps. It’s especially relevant in quarantine times, as whitelisting helps to secure remote access by adding BYOD (bring your own device) functionality.
Implementing a multi-level approach to IT and OT convergence is the key to effective information security governance and risk management. Focus on identifying your vulnerabilities and consider them while building a digital strategy. The best decision is to hire dedicated professionals responsible for security who won’t let cyber threats stand in your way while scaling the business.