Research reveals operational technology security (OT) leaders believe that maintaining regulatory compliance is their top concern. Today’s threat landscape requires more.
One of the key findings from the Skybox Security research report, Operational Technology Cybersecurity Risk Underestimated by Operational Technology Organizationsis that “maintaining compliance with regulations and requirements” is the primary concern of OT security decision makers.
It’s easy to see why compliance is a concern: mandates change often, are difficult to interpret, and are often overwhelming. In the OT environment, there are many security requirements and methodologies. For example, there is:
- STIG compliance requirements
- NERC CIP Compliance
- Compliance with fair methodology
- Cyber Value at Risk (CVAR) Model
So while compliance is the primary concern in many different functions, it is not – in and of itself – a silver bullet against bad actors. Why not?
Compliance is only part of a larger security picture
Compliance frameworks provide insight into the fine-tuning of technologies in place, but compliance is only one facet of security intended to explain how things are progressing for that unique and specific area of concern. For example, NIST 800-41 focuses only on security controls and firewalls and only ensures compliance at a network’s perimeter and zone-to-zone access. That’s it. It does not deal with an entire business and its components. That’s not the full range of security measures needed for user identity, virtualization, or container security.
What are some of the main reasons for the misconception that compliance is enough? Part of that comes from normalization – a culmination of thoughts ratified. Like that old chewing gum ad, “four out of five dentists recommend Dentine for patients who chew gum.” It’s not an absolute endorsement, but it gives credit.
Satisfactory checklists do not guarantee OT security
Many organizations invest significant time and money in resources and technology to secure their environments, including meeting the demands of auditors. When companies pass and pass the checklist, it can be easy to assume that they have met the criteria and therefore should be safe. “We have the papers to prove it!” Unfortunately, this wishful thinking often leads to security vulnerabilities.
For example, research found that security teams vastly underestimate the critical risk of a cyberattack against their crown jewels. For example, 56% of all respondents are very confident that their organization will not experience an OT breach in the next year, but 83% said they had had at least one OT security breach in the past 36 months. In terms of compliance, it tells me, “I’m compliant, but I continue to be vulnerable to breaches.”
Consider the expression “you are only as strong as your weakest link”. Imagine a square table and three of the four corners are monitored for compliance. All three sides pass, but the fourth corner is a question mark. But officials from the other three corners can report that they are compliant. It doesn’t matter that the fourth corner isn’t. The whole table collapses. Or in the case of an OT organization, you are violated. An exposed vulnerability is all an attacker needs to wreak havoc on your business, and compliance alone won’t stop it.
With Skybox, you are compliant. But more importantly, you are safe.
Don’t sweep your cybersecurity vulnerabilities under the rug
Putting all your faith in compliance means sweeping your security vulnerabilities under the rug. It’s putting your head in the sand. Don’t think for a moment that compliance is all you need. It’s a recipe for getting hit at 3 a.m. when you discover your factory’s machinery is held hostage with a large production schedule that needs to be delivered the same day.
OT organizations need to improve their security and give vulnerability management the same importance as security policy and compliance management. This requires a platform that can visualize and analyze OT, hybrid and multi-cloud networks, providing full context and understanding of the attack surface. OT organizations can use this information and context to increase the overall strength of their cybersecurity compliance controls, processes and programs.
About Skybox Security
More than 500 of the world’s largest and most security-conscious enterprises rely on Skybox for the information and assurance needed to stay ahead of dynamically changing attack surfaces. Our security posture management platform provides comprehensive visibility, analytics, and automation to quickly map, prioritize, and remediate vulnerabilities across your organization. The vendor-neutral solution intelligently optimizes security policies, actions and change processes across all enterprise networks and cloud environments. With Skybox, security teams can now focus on the most strategic business initiatives while ensuring businesses are protected. We are Skybox.
To visit www.skyboxsecurity.com for more information or view all recent Skybox Security content at hub.techcentral.co.za/skybox.
- This promoted content has been paid for by the relevant party