By Heather MacKenzie
With the responsibility to keep their companies ahead of all enterprise-wide threats, CIOs or CISOs certainly feel the increased pressure. Oftentimes these security leaders “grow up” in IT-centered roles, leaving them to feel they’ve got threat detection and response under control.
But, what about the operational technology (OT) side of the company?
If operational disruptions or theft of intellectual property aren’t keeping them up at night, they should be. The absence of OT from the digital risk management mix frustrates CEOs and board members alike. That’s because industrial cyber risks continue to increase.
A key part of the solution is simple: An IT/OT SOC.
For companies with an existing security operations center (SOC), no matter the model, OT systems can be integrated into the mandate of its existing function. We highly recommend this integrated approach – and the good news is there is a straightforward way to include industrial threat oversight.
A SOC is a team, sometimes working at a dedicated facility, whose primary role is to manage and mitigate cybersecurity threats. This team of security analysts and engineers monitors network and device activity to identify and thwart issues. As a result, they protect the business and its sensitive data, plus ensure compliance with industry and government rules.
SOCs can take many forms – from virtual to co-managed to a dedicated, in-house function.
Choosing the right model will depend on a company’s needs and resources. Many companies are opting for a SOC over other options as they strive for more control over security monitoring and how they handle threat mitigation.
But, these SOCs often only include IT systems. As threats to OT systems intensify, there are several key reasons to add in OT and evolve into an integrated, enterprise-wide SOC. They include:
• Faster. By monitoring all systems in a centralized SOC, there’s less risk for communication breakdowns between separate OT and IT teams. You also eliminate the likelihood of incidents being dropped when passed between teams for handling
• Cheaper. Instead of having two SOCs – one for IT and one for OT – it’s far more cost-effective to combine the two under one umbrella with shared resources, technology and facilities.
• Better. To properly protect OT systems, it takes IT skills and OT knowledge. Many teams find it easier to train IT people on OT sensitivities than to train OT people on IT cybersecurity skills. This is easier to accomplish with a unified SOC.
Broader. For full, integrated visibility to threats, an IT/OT SOC delivers the complete situational awareness needed to protect both the business and industrial sides of the organization.
“Organizations with both IT and OT struggle with the coexistence of two separate security and risk management functions. This leads to a dispersed view on the overall operational risk the organization is facing,’ said Gartner in its “How to Organize Security and Risk Management in a Converged IT/OT Environment” report last year.
“In a continuously evolving threat landscape, a single established security and risk management function is better-positioned to address these threats across both IT and OT. A single leader of this function can also be held accountable for the organization’s overall digital risk. As an added benefit, scarce security resources can now be deployed to address both IT and OT,” the report said.
IT/OT SOC Transition
While choosing to move to an enterprise-level SOC is an important choice, it will take time and thought to execute. OT systems come with security challenges that are unique. Meeting OT’s security needs will require a deeper knowledge and understanding by the overarching SOC team.
Before beginning a transition, consider and discuss how to tackle these three critical areas:
• Technology – It’s important to ensure any solutions or software meet OT’s specific requirements and can also integrate seamlessly into the existing IT SOC infrastructure. Both are equally important. A gap on either side will create barriers to a successful transition.
• People Resources – An enterprise-level SOC is going to need people who specialize in industrial These new team members might work out of the company’s dedicated facility, or they could be part of a virtual or extended team. No matter how it’s resourced or staffed, expert industrial and OT knowledge will be a necessity. One way to keep costs down and avoid issues with sourcing quality staff is to keep the team members at one physical location and provide the appropriate cross-training.
• Accountability – The only way to truly bring IT and OT together into one SOC is to create a culture of unity, starting from the top down. First, it will be important to have the teams report to one leader – the person ultimately responsible for companywide cyber risk – and to share common goals and KPIs. Then, as teams begin to merge, they should go through exercises to get to know one another and understand the others’ priorities and challenges. The more quickly they can work seamlessly as a team, with speed and agility, the more successful the IT/OT SOC will be at achieving its goals and delivering business value.
A IT/OT SOC is a forward-thinking way to address and mitigate cyber risks companywide.
A combined structure taps into the individual strengths of IT and OT team members, ultimately creating a faster, comprehensive and more cost-effective approach to digital risk management.
We believe this approach is not just a trend, but the future norm.
Heather MacKenzie is an ICS Cybersecurity Specialist at Nozomi Networks. She has worked in industrial cybersecurity since 2008. She helps OT/IT teams responsible for industrial control networks understand cyber risks.