Helping OT Cybersecurity Mature: An Industrial Concern

While company leaders look forward to the applications and the increase in productive capacity promised by the operational technology of Industry 4.0, companies need to consider how they will protect these assets from cybersecurity threats. The central challenge industry experts will confront during this experimental phase concerns bridging operational technology (OT) cybersecurity preparedness to that of more mature IT departments, according to industry experts.  

“Dependence on technology has potentiated new risks that go hand in hand with technology development. New challenges will probably arise,” said Juan Gálvez, CISO, BIVA.

Until recently, OT assets had been protected from cybersecurity threats by an isolated, “air-gapped” network environment. This operational model became obsolete overnight with the rise of smart devices that require direct network connectivity to generate data about operational productivity. This migration has created a convergence between OT and IT, thereby creating added concerns about cybersecurity preparedness between these technology assets and managing departments.

This knowledge gap has created a sense of urgency among industrial field experts who only have to look to the Colonial Pipeline Hack and others to understand the potentially devastating impact of a potential breach. This learning process has only begun, however, with many companies trying to “identify and formulate a security baseline in consideration of independent operation needs,” said Oscar Jaramillo CIO, Enermex.

The reigning concern and focus of industrial companies is trying to precipitate the identification of vulnerabilities and developing security controls in response. This effort is complicated by the parallel “transformation industrial companies are undergoing with the addition of new technologies and digital infrastructure reconfiguration,” said Alexandro Fernández, Head of Cybersecurity OT, Coca-Cola FEMSA.

This metamorphosis implies a seismic transformation and calls for education among industries that were previously sheltered from cybersecurity threats, requiring OT and IT departments to work side by side to “develop transparent security controls in consideration of both operational fluidness and security compliance standards,” said Gálvez. This is an all-new process for industrial companies and cybersecurity companies alike, a transformation that also stands to bring these parties closer so horizontal security needs can be developed at the same pace.

So far, the top priority for companies concerns establishing the variable constant removed by Industry 4.0: network security. Establishing controls and monitoring network security help strengthen the network perimeter and “should be the primary concern of industrial companies,” said Fernández. Furthermore, as companies work to reconfigure their digital infrastructures, they should also consider recognized best practices such as layering independent networks, one for OT and another for IT so that in the worst-case scenario companies can control the blast radius of a security breach to one network segment. While conceptually this sounds straightforward, it is highly complex to implement in practice because it also requires the simultaneous implementation of security controls. This implementation process must also consider the formation of “robust security protocols at the point of interconnection between OT and IT networks”, said Jaramillo.

Other practices considering network security concerns the adoption of Zero Trust protocols, as a means of circumventing malicious data access from anywhere as enabled by cloud and edge computing. This is particularly relevant for industry sectors that routinely receive petitions for updates and support from public IP addresses, said Jaramillo. Companies should also consider contingency plans to protect data assets either through direct, cloud or disaggregated storage practices, said Patricia Fragoso Soto, Manager IT, Volkswagen Mexico.