OT CYBERSECURITY IN 2021 – Continued from page 35 of new projects do not incorporate cybersecurity practices
into the requirements.
Who is liable in the event of a breach?
This is a sensitive topic particularly among service pro- viders, engineering firms and insurance companies. Irrespective of the money that is spent on technology and services, it is impossible to guarantee (or warrant) that all breaches can be prevented. The best defense is a good offense. Investments in each of the five risk areas are required. Ultimately the responsibility falls upon building owners to determine what risks they are willing to accept and therefore what preventive measures will require ongo- ing mitigation. Building owners should carry cybersecurity policies to cover the costs of forensics, restore functional- ity and business interruption. Our research shows us the insurance industry is ill-equipped to provide such coverage in all cases unless specifically related to third party loss.
IT and OT working together
In 2019, the IT industry spent $124 billion on cyberse- curity products and services. There is no corresponding estimate for the OT industry, but we are confident it is insignificant in relation to the need. Where money is being spent, it is allocated from IT budgets since facility bud- gets rarely treat this as an ongoing expense.
IT on the other hand is unfamiliar with OT systems and the many differences that exist in the technology and the supplier environment. What the IT industry brings is a head start in managing cybersecurity risk. Major orga- nizations such as NIST and ISO have well-recognized cybersecurity standards for the IT industry. While these standards represent a good starting point, they are often mismatched and insufficient. The Gartner Group pointed this out in 2019, “... porting IT security technology and practices to address OT security will not result in a more secure OT environment.” Why is this the case?
1) Different Worlds: Despite the fact that OT systems today leverage the same underlying technologies found in the IT industry, the actual implementation is typically done in ways that are incompatible with the tools and devices used to secure IT environments. There are many examples of well-intentioned IT staff shutting down OT systems in their effort to identify vulnerabilities.
2) Different Priorities: OT systems operate mechanical and electrical equipment and physically secure
buildings on a 24 / 7 basis. Facility engineers and contractors understand this environment, which is foreign to many IT engineers.
3) Complex Solutions to Remote Access: IT departments traditionally limit access with complex and costly remote access solutions. This is seen as too difficult for the fragmented and turnover-laden OT environment. There is a new breed of secure remote access that is much more “plug and play” friendly for OT contractors and staff. It will take time for this to become the norm.
4) Cultural Unfamiliarity: OT personnel whether in-house or throughout the supply chain are uncomfortable in having cybersecurity discussions. They have neither the background nor the experience. It starts with training, but requires a cultural shift, whereby cyberse- curity safeguards and risk management becomes a natural part of how the work gets performed.
Where should we go from here?
1) The entire industry from building owners through suppliers must recognize the seriousness of the risks.
2) Risk management resources must become a standard component of the OT operating budget.
3) The existing inventory of systems needs to be assessed, remediated and placed under risk management programs that include networks, systems and people.
4) IT and OT staffs must work together and learn from each other. OT staffs including service providers
need maximum flexibility to deliver on operational objectives but must adhere to the same cybersecurity principles as IT departments.
5) New building specifications must include cyberse- curity performance standards for networking, system configuration, user administration and ongoing risk management and be commissioned as such.
Steve Fey is CEO of Totem Buildings. Steve is an industry expert in operational technology with over 35 years in building automation, physical security, and industrial automation. Previously, he was CEO of Tridium from 2006 to 2012 and more recently served as president of Proxios, a mid-Atlantic, “IT as a Service” firm.
 62