5 Principles for Designing a Successful Governance Model for OT Cyber Security
Download the our whitepaper to discover the five guiding principles you should consider for your organization.Learn More
Subscribe to stay in the loop with the latest OT cyber security best practices.
Operational Technology (OT) governance in cybersecurity refers to the framework and processes determining how OT systems are managed and secured. It encompasses questions of authority and accountability, crucial for minimizing cyber risk in operational processes. OT governance involves high-level strategic decisions (‘Big G’) and daily operational choices (‘Small g’).
There’s an ongoing debate about the roles of IT and OT in cybersecurity governance. Key questions include whether the Chief Information Security Officer (CISO), Head of Operations, or Chief Information Officer (CIO) should lead OT security efforts. Decisions on who controls security for OT assets and the alignment of authority with accountability and resources are central to this discussion.
Organizations must understand their key cybersecurity challenges to build a robust OT security governance framework. These challenges reflect the realities of managing cybersecurity in operational technology, shaped by several key themes. Understanding these themes helps to grasp the nuances of the five guiding principles for effective governance.
From 2019 to 2021, OT vulnerabilities increased by 50-60%, but headcount and resources decreased as risk increased. With the emergence of various threat actors and external forces in OT/ICS security, industrial organizations must adopt an OT governance model to make progress quickly in their OT security programs.
Achieving the right governance model requires clear alignment of the C-suite as to the real risks to operations, the risk appetite of the senior team and board of directors, rough estimates of the cost to achieve different levels of security maturity, and how the senior team will make decisions on critical trade-offs in these areas.
The natural leader for this exercise is the CISO, the most important of all the many hats a CISO must wear. This is not to say that the CISO will have the authority to make all the decisions. In most successful exercises we have seen, the CISO plays an influencing rather than a determinative role in bringing the senior team to alignment on the best path forward, considering the various trade-offs across the business.
Although specific governance models often focus on the definition of where authority and accountability reside, we have seen many RACI (responsible, accountable, consulted, and informed) charts become paper exercises unless there is a truly shared understanding of objectives and priorities at the top.
Basing budgets, metrics, and resources on an agreed set of objectives maintains alignment. Many organizations are far along in the OT security journey without realizing they have yet to achieve clear alignment at the top. In most cases, the best choice is to reset and ensure the team takes the time to establish this basis of understanding, or future progress may slow.
One of the most successful OT security executions the Verve team witnessed came from a utility holding company with a culture of business-unit independence and ownership of results. The company’s incumbent governance model uses the classical distributed business-unit P&L ownership model made famous by Emerson Electric, Illinois Tool Works, Danaher, and many other industrial companies over the years. The principle is to make clear accountabilities around the “what” – i.e., targets and objectives. Then, let the management of each business unit have full authority as to the “how” – i.e., strategies and tactics to deliver.
In the case of cybersecurity, the senior team established a very clear, top-down directive as to the objective and standards they expected each business unit to achieve – in this case, the CSC top 18 controls – down to specific maturity levels by each sub-control. They put a company-wide review process in place to ensure progress to the objective.
The CISO was very involved in helping shape both the objective and the process. Then, the “how” was left to each business unit. Decisions such as what tools to deploy, how to balance compensating controls, the specific approach to achieving least-privilege settings, specific approaches to incident response, etc., came down to the business unit but within an overall construct of a set of objectives and metrics.
I can already hear the complaints with this approach: duplication of effort, inefficient use of underlying tools, not applying corporate best-in-class approaches to each business unit, need for duplicate cybersecurity expertise in a world where cyber talent is limited, too focused on a set of standards rather than real “security” and reduction in threats or time to remediation.
All of these limitations are absolutely true and addressed through other measures. However, the organization did not have a culture of centralized experts or top-down directives of shared tools or infrastructure. To create such a model would have meant going against the primary mode of operation for the organization. Had the CISO tried to push in this direction, he most likely would have ultimately failed because it was not in the organization’s DNA.
He knew that no governance model was perfect. Successful OT security leaders take the time to understand the overall governance culture of their organizations and build a model that works with the flow rather than trying to force-fit a theoretically better governance model. Then, they address the gaps unique to that approach to ensure manageable limitations.
One of the most challenging aspects of cybersecurity governance is ensuring budget alignment with accountability. In many organizations, cybersecurity-related spending is distributed across the company – plants may be responsible for the budgets of their OT systems, including updates, patching, and management; corporate IT, however, may manage the budgets of network gear and possibly segmentation; the CISO may manage to spend on security-specific initiatives such as anti-malware or monitoring logs for threat detection; HR may have the budget for training and awareness development; and facilities management may be responsible for the building systems such as warehousing, chillers, freezers, etc. which may be critical to operations. In this kind of distributed environment, capturing current spending related to cybersecurity and prioritizing additional spending on new protective or detective measures is difficult.
We have seen clients adapt to this situation in different ways. Some have created a shadow accounting system aggregating spending from different business units into a holistic cybersecurity budget. Others have established clear objectives and asked business units to achieve them while managing their overall budgets in line with typical year-over-year increases, essentially making spending trade-offs on cybersecurity vs. other items. Still, others manage security compliance at a plant-by-plant level and ensure that the budgets for the plants take into account cybersecurity as one key element of its metrics.
Whether they use one of the models above or some alternative, organizations first need to gain visibility to total cybersecurity spend and second to align budget authority with security accountability to manage risk effectively.
Successful operations organizations run on metrics, targets, detailed procedures, and tactical results monitored on an hourly, daily, and weekly basis. cybersecurity objectives are often subtle or aspirational: reduce vulnerabilities, identify potential malware, identify attackers, improve incident response by X%, etc. Successful OT security approaches will work with the flow of operations management and transform these subtle objectives into very tactical targets and metrics that can be shown on simple red, yellow, and green charts.
One Verve customer adopted the NIST CSF as their cybersecurity framework and went to the next step and implemented a set of measures that could be tracked weekly, monthly, and quarterly. Each control area had a set of targets and metrics (e.g., number of critical patches not deployed, number of machines without a backup in the past week, number of false-positive alerts, time spent by operational personnel responding to false alarms, etc.).
Importantly, they treated the corporate SOC that was analyzing threat data as if it were an upstream supplier of material. They were held to targets relating to threat detection quality and timeliness. These data were shared regularly between operations and the SOC to ensure the teams were accountable to one another. When items were not “in the green,” remediation plans were put in place, as they would be if it were a product quality or throughput metric.
Operations are used to manage a balanced scorecard of KPIs beyond just production volume and cost. They already manage occupational safety, environmental quality, product quality, etc. in parallel to their operational metrics. By working with the flow and making cybersecurity an additional element of that balanced scorecard, organizations can align accountability with the authority to assign resources and take action.
The NIST Cybersecurity Framework contains five core areas and 98 specific subcategories. CSC 20 has over 140 sub-controls. It is impractical that a high-level governance model will succeed across all these sub-elements. Just as operations do, the team needs to build detailed procedures identifying accountable parties and their levels of authority around specific deliverables.
Governance tends to break down at the micro-level. For instance, in the identified component of NIST CSF, who is in charge of maintaining the asset database with the required information? The IT team may believe it should do so, but OT may argue that running the IT tools on the OT networks is not safe or appropriate. Furthermore, in some organizations, the asset information required at the plant level may be well in excess of what is necessary at the corporate from a cybersecurity management point of view. In another example, the decision to patch a critical device immediately, leave it until an outage, or perhaps leave it semi-permanently until the device can be upgraded is a debate we see almost daily with our clients.
In critical operations where a wrong – or perhaps even a correct but delayed – decision can lead to lost production, injury, or even death, these detailed decision rights are critical to assign upfront. Successful operators take the time to document in detail not only the decision rights but also who will take the necessary actions in areas such as maintenance or quality.
In summary, effective OT security governance hinges on a tailored approach, balancing authority and accountability within an organization’s unique context. The key lies in aligning leadership at the top, integrating cybersecurity into the existing organizational culture, and ensuring that budgeting, metrics, and tactical actions are closely aligned with security objectives. This approach, informed by the principles of strategic and operational governance, enables organizations to adapt swiftly and effectively to the evolving cybersecurity landscape, enhancing their resilience against threats in operational technology.
Download the our whitepaper to discover the five guiding principles you should consider for your organization.Learn More
Align IT and OT security initiatives to make progress against a chosen standard for an efficient and effective cyber security program.Learn More
The ISA/IEC 62443 collection of standards is laser-focused on industrial controls. Here’s how to make the most of them.Learn More
This article is intended to help asset owners, integrators and customers understand how to begin a cybersecurity program to improve overall maturity against the elements of the IEC 62443 standard.Learn More
This NIST CSF case study provides one example of a customer’s journey to greater security maturity with the Verve Security Center and VIP Services.Learn More