Operational technology (OT) environments have increasingly come into the scope of cyberattacks as continuing IT/OT convergence has eroded the boundary between these traditionally segregated domains. Despite the network convergence, the convergence of thinking and understanding of risk as an enterprise-wide issue that transcends organizational boundaries has not kept pace.
The threats and the related consequences only continue to grow more dire.
According to a recent Claroty report, 80 percent of OT environments were targeted by ransomware attacks last year – and Gartner predicts that by 2025, threat actors will weaponize OT environments to successfully harm or kill humans.
Despite considerable efforts, ostensibly compliant organizations continue to suffer breaches. The United States has the highest data breach costs in the world, at $8.64 million on average, followed by the Middle East at $6.52 million, according to IBM.
It feels like we’re trapped in a zero-sum game – each year we spend more than ever before on cybersecurity while security vendors and service providers deliver ever more products and services to market, and yet the impact from cyberattacks keeps rising.
But hackers don’t care about checkboxes -– and they respect organizational charts even less. Like sand through fingers, attackers find their path of least resistance and exploit whatever weaknesses they find to achieve their objectives.
Despite record spending and investment into cybersecurity products and services, attacks are only getting worse. Although losing critical business data can be unpleasant, the stakes are even higher in the OT space – regions out of power, disruption of energy and food supplies, and physical damage to critical infrastructure, potentially leading to devastating loss of life.
Between BlackEnergy, TRISIS, and Colonial Pipeline, we’ve seen exactly how bad and how quickly things can go wrong when OT is the target.
So, what lessons can we learn? And how can companies overcome the current stark reality of ongoing security threats?
It’s Time for Security-Compliance Convergence
To overcome the security threats facing the modern enterprise, stakeholders from compliance, risk and security must converge, and leverage the power of big data analytics for a transformative, effective, and more efficient approach to defending the enterprise against today’s advanced cyber threat landscape.
We must erase organizational barriers and artificial silos that keep our risk management functions isolated and outgunned. The lack of integration between security and compliance functions limits enterprise risk observability, making environments easy targets of compromise – and the bad guys continue to exploit these bureaucratic inefficiencies. Only by aligning risk, compliance, and security functions across both IT and OT environments can we hope to achieve a unity of purpose and the clarity of mission on par with our adversaries.
The sooner we stop treating risk data differently based on its source and recognize the simple truth that “data is data”, and that there’s no separate “compliance data”, “risk data”, or “security data”, the sooner we can drive true enterprise-wide risk visibility and management maturity that includes all and serves all – equally.
Thinking like an attacker means transcending the organizational, political, and governance boundaries, the artificial lines drawn around subsets of enterprise environments, and trying to see your environment as the attackers do: as one big soft target just waiting to be plundered.
Each enterprise must find its own path to convergence. Hopefully, before the next breach shows what was missed while waiting for that other department to tell you a story about their risk posture from last quarter – or last year.