A lack of skills and ownership are top challenges to OT security

A lack of skills is considered to be one of the biggest challenges facing organisations managing operational technology (OT) risks, according to an online survey by security firm NTT Security.

The poll also reveals confusion about who is responsible within the business for securing OT, with most respondents saying it should be the engineering function rather than the security or IT department. 

Asked what the biggest challenge is for companies managing OT risk, just under half (46%) of more than 7,500 respondents with an interest in OT security said a lack of skills, while 29% said a lack of visibility into OT networks to facilitate risk assessment.

A quarter of respondents believe that a disconnect between OT and IT teams could be cause for concern.

On the subject of responsibility, 42% of respondents believe OT security should fall under the engineering director and more than one-third (38%) say the chief technology officer (CTO), while just one in five say it is the job of the chief information security officer (CISO). 

When it comes to responding to a cyber attack on OT systems, only one in four (26%) respondents believe the majority of incident response plans cover both OT and IT, while one-third say no plans do.

“It is clear that arrangements for securing OT are a huge challenge for organisations, especially when it comes to identifying exactly what those risks are and the potential impact they may have on the business,” said Tim Ennis, senior operational technology consultant, cyber security consulting at NTT Security.

“With greater connectivity and convergence with IT comes greater risks and these have to be managed accordingly.”

Having the rights skills in place and clear lines of responsibility within the business are fundamental, said Ennis. “There is no one-size-fits-all solution for OT security. It might be right that the CISO has responsibility, but equally it could be that the engineering director is best placed to do this. 

“What is important is getting the right organisational structure in place that can empower and support the OT team to improve security, and to enable the business to achieve its objectives.”

Although there is yet to be a major cyber attack on telecommunications networks, more than half of respondents (53%) think the telecoms sector is most vulnerable to attack and one-third believe it is the utilities sector, with both sectors heavily reliant on OT.

Despite the fact that the manufacturing sector is reported to be the UK’s second most targeted industry sector, according to the recently launched NTT Security Global Threat Intelligence Report (GTIR), just 13% of respondents say it is most vulnerable to a cyber attack.

To manage OT risks, NTT Security recommends:

1. Establishing a programme of work for securing OT, including:

• Forming a multidisciplinary team.
• Reviewing roles and responsibilities, ensuring people are suitably trained and briefed.
• Establishing security context, ensuring that security enables the business to achieve its objectives.

2. Assessing the risks associated with OT by:

• Identifying OT assets and increasing visibility into OT networks.
• Identifying a baseline and target risk profile.
• Assessing risks.
• Identifying prioritised tasks required to reach target profile.

3. Implementing risk reduction measures by:

• Reviewing architecture.
• Identifying a security concept for OT environment.
• Establishing a network baseline for “normal behaviour”.
• Implementing security controls and reviewing effectiveness against risks.

4. Improving security operations by:

• Regularly reviewing risks and opportunities.
• Reviewing and responding to detected anomalies.
• Practising incident response plans.