Cybersecurity in Operational Technology: Why You've Been Thinking about It All Wrong
NOTE: This article is written by a guest contributor, Antti Kaunonen. Antti is also advising SSH in automation and operational technology cybersecurity topics as a long-term expert in the industry.
Throughout my career, I've always worked at companies that needed to connect and integrate countless different kinds of systems, from PLC, DCS, PAS, MES, or SCADA to ERP solutions - yes, I've learned to love the acronyms. The common factor is that all of these individual systems tend to require some kind of external connectivity for different suppliers.
Contents
Why do we need to re-think cybersecurity in operational technology?
The role of a company's management and board in cybersecurity
The role of cybersecurity in modern operational technology
Cybersecurity in operational technology: Time to go passwordless and keyless
Why do we need to re-think cybersecurity in operational technology?
As a society, our track record for industrial cybersecurity is, frankly, rather embarrassing. At a leading systems provider company, where I worked in the late 1990s, we started tallying the number of different data connections and interfaces that we had with one of our key customers, a major corporation in its industry. We stopped counting when we got to around 50 connections, all with different specifications and standards, all of which should have had, at least in principle, some kind of security in place.
Have we as an industry succeeded to improve cybersecurity with connectivity? Not really. And in the decades since, the number and complexity of data connections between companies and their suppliers grew by at least a couple of orders of magnitude. With threat models evolving at the same exponential pace, how can we even begin to address the question of how to keep our business, data, systems, customers, and employees safe from external and insider threats?
The role of a company's management and board in cybersecurity
Having spent time in various leadership positions for tens of years in logistics and industrial companies, I have nothing but sympathy for everyone who needs to be making these kinds of decisions as part of their work. Management is responsible for ensuring adequate cybersecurity protection for the company, but the accountability ultimately extends to the board of the organization. So, if you're a board member, yes, it really is your job (and not only the CIO's) to be thinking about this stuff. And yes, you should be concerned.
Over the years, I've learned that the first step in successfully addressing IT and automation security is going through a shift in mindset that is incredibly obvious but also quite counterintuitive for business leaders. It is this:
Cybersecurity is not just an investment with a return on investment (ROI). It's also an insurance policy against outcomes that you simply cannot permit to happen.
The role of cybersecurity in modern operational technology
As a simple analogy, how do you calculate the ROI for having smoke detectors, extinguishers, and fire insurance for your house? You don't, because having your home burn down is an existential, financial, and personal risk that you cannot accept, no matter how small the odds are of that scenario happening.
Even though the analogy with fire insurance is helpful, it's also flawed for a very basic reason. The probability of your home actually burning down tomorrow is extremely small. By contrast, the likelihood of your company being the target of some kind of cyberattack is very close to 100%. Your home is not being probed and attacked 24/7 by remote arsonists from all over the world, using automated online tools, or – even worse – crafting tailored attacks to penetrate and set fire to your specific building.
So, the bad news is that the arms race is accelerating, and the threats are getting more sophisticated every day. The good news is that you are not defenseless. There are ways to fix vulnerabilities, protect your systems while ensuring secure access for those users that need it, and safeguard your business continuity. But the first step is recalibrating your own thinking.
Cybersecurity is not only something you buy, it's the insurance policy for the entire existence of your business. The normal logic of trying to calculate an ROI breaks down if the downside of the bet is "game over".
How much would you be willing to pay to fix the situation if your company's entire IT infrastructure were shut down right now as a result of a ransomware event? And how likely do you think it is that no one out there would attack your operations this way if they had the chance? Think about it, do the math, and act accordingly. Take the responsibility that is yours.
Cybersecurity in operational technology: Time to go passwordless and keyless
The other bit of good news is that with the right cybersecurity solution, you actually can get a lot of your investment back in a measured way, thanks to increased productivity and reduced complexity. By going passwordless and keyless, and by maximizing automation, you can improve your operational velocity with fast onboarding and offboarding of users and by radically reducing the number of credentials to manage in your environment. Less manual work, fewer passwords or keys to rotate, less waiting for access, and automatic access revocation are all factors that will improve your cybersecurity – and ultimately also your ROI.
Antti Kaunonen
Antti Kaunonen (b. 1959) has over 40 years of international experience in global industrial businesses. Throughout his career, he has been heavily involved with automation and intelligent machines, most recently at Cargotec Oyj, from which he retired in 2022 after leading the company's Kalmar business area and its...