The pressure on in-house teams hinges on the messages that the CISO or equivalent give to top management and the board about the company’s cyber security status, according to Mortakis: “It all depends on how you provide the message, how you pose the risk, the effects, ramifications, and whether you can indicate that it will not happen to your company. I always try to supply the secured risks, and a remediation plan that is realistic and does justice to the environment and scope.”
While every company is different, many take an “unfortunate” approach to cyber security in Mortakis’s view: “They ask, ‘What is my neighbour or peer doing?’ then try to do the same thing. To me, using a template approach for cyber security does not work. You need a tailored approach suitable for the company, environment, and organization you work with. I have always seen that tailored solution resonate positively with decision makers.”
Combining in-house and external cyber security expertise
Companies facing these challenges often engage with external advisers to establish the required cyber security more rapidly, or to leverage the know-how of a bigger security community that is more able to stay updated and gain experience across companies and sectors. Typically, it is not an either/or decision, says Mortakis: “I’ve worked both in-house and as an external consultant and would say that a combination of both is needed.”
For example, a company CISO needs internal know-how such as how the OT/IT network is mapped out – for ships, for instance, how does this vary between vessel classes? Other issues to handle internally include vulnerability assessment, remediation programmes, and how the company’s operational and cyber security teams collaborate, Mortakis suggested.
“But it’s always good to have an external expert to supplement and complement the internal activities,” he added. “They can bring in checks and balances, which are very important, and a fresh perspective into the overall risk classification – how is the risk assessment being done internally compared with what external auditors are seeing and doing? The key to making this work is leadership to ensure that combined security efforts are aligned towards agreed goals. You can’t do everything in-house, but make sure everyone is pulling in the same direction.”
Deciding what cyber security solutions to use
Some CISOs have another potential choice, between customized and off-the-shelf (OTS) cyber security solutions.
OTS may work for smaller environments or OT/IT networks with simple architecture and operation, according to Mortakis: “It’s like insurance. You need a basic level of coverage, and single or combined OTS solutions can sometimes provide fundamental cyber security controls that everybody should have. But the more complex, customized, and large the OT/IT environment becomes, the more limitation OTS solutions have. Needing to comply with regulation adds to complexity, and if there is a corporate acquisition, the acquired company will have its own environment.”
The point about customization is apt as power and utilities lead the way on cyber security for OT, DNV’s Solberg said: “They are among the most mature in Gartner’s analysis, and that matches our experience with customers. Some even conduct their own research into OT cyber security and are what I would describe as ‘best in class’, which includes tailoring solutions to their own environments and needs.”
Taking a holistic approach to OT-IT cyber security
In this fast-moving cybersecurity environment, DNV is fielding more enquiries from customers asking for support from the company’s holistic OT-IT cyber security expertise and specific domain knowledge in power and utilities, shipyards, oil and gas, telecoms infrastructure, and maritime. Solberg said: “Our twin focus on both OT and IT means we can help customers to see the whole picture. Clearly, this is also useful if they suffer a cyber attack in either OT or IT and are concerned that it may extend to both.”
Mortakis concluded: “There’s a lot of theory out there, but I look for vendors with proven and specialist experience and who can walk the talk. One reason I selected DNV to work with around my needs on the operational side is that they are very specialized for OT cyber security assessment.”
Read more about DNV cyber security services
REFERENCES
- ‘Market guide for operational technology security’, K Thielemann, W Voster, B Pace, R Contu, Gartner, 13 January 2021, report ID: G00737759
- ‘Cybersecurity: Attacks on OT systems are on the increase’, N Blenkey, marinelog.com, 20 July 2020 [online]
- ‘Gartner predicts by 2025 cyber attackers will have weaponized operational technology environments to successfully harm or kill humans’, Gartner Inc., news release, 21 July 2021 [online], www.gartner.com
- ‘Cost of a Data Breach Report 2021’, study conducted by the Ponemon Institute and sponsored, analysed, reported and published by IBM Security