5 Principles for Effective OT Security Governance

OT security Governance: Balancing Authority and Accountability

Operational Technology (OT) governance in cybersecurity refers to the framework and processes determining how OT systems are managed and secured. It encompasses questions of authority and accountability, crucial for minimizing cyber risk in operational processes. OT governance involves high-level strategic decisions (‘Big G’) and daily operational choices (‘Small g’).

1. Strategic Governance (‘Big G’): This includes setting the overall cybersecurity agenda for OT, establishing performance metrics, deciding who has the final say in risk management, and determining who is accountable in case of security incidents.
2. Operational Governance (‘Small g’): Here, the focus is on immediate decisions like patching devices, selecting cybersecurity tools, and managing equipment updates.

The IT vs. OT Debate in Security Leadership

There’s an ongoing debate about the roles of IT and OT in cybersecurity governance. Key questions include whether the Chief Information Security Officer (CISO), Head of Operations, or Chief Information Officer (CIO) should lead OT security efforts. Decisions on who controls security for OT assets and the alignment of authority with accountability and resources are central to this discussion.

Three Themes in OT Security Governance

Organizations must understand their key cybersecurity challenges to build a robust OT security governance framework. These challenges reflect the realities of managing cybersecurity in operational technology, shaped by several key themes. Understanding these themes helps to grasp the nuances of the five guiding principles for effective governance.

• There is no one-size-fits-all answer: Every organization’s journey in cybersecurity is unique, shaped by its culture, operational model, and risk profile. This diversity demands a governance approach that is not one-size-fits-all but tailored to fit each organization’s needs and context.
• There is no single point of authority and accountability: In many organizations, cybersecurity’s responsibility spans various departments and roles. This distribution of authority and accountability highlights the need for a coordinated, collaborative approach to governance, ensuring that all parts of the organization are aligned and working together towards common security goals.
• Most companies need help with leadership alignment: With the rise in cybersecurity threats and often limited resources, aligning the organization’s leadership on security strategies becomes even more critical. This alignment is about agreement on strategy, commitment, and support for the necessary resources and changes.

Swift Adaptation in a Changing Landscape: Prioritizing Action in OT Security Governance

From 2019 to 2021, OT vulnerabilities increased by 50-60%, but headcount and resources decreased as risk increased. With the emergence of various threat actors and external forces in OT/ICS security, industrial organizations must adopt an OT governance model to make progress quickly in their OT security programs.

Watch the full on-demand webinar recording of “Designing the Right OT Governance Structure and Model” here.

Five Principles to Design the Right OT Security Governance Model

1. Start with alignment at the top

Achieving the right governance model requires clear alignment of the C-suite as to the real risks to operations, the risk appetite of the senior team and board of directors, rough estimates of the cost to achieve different levels of security maturity, and how the senior team will make decisions on critical trade-offs in these areas.

The natural leader for this exercise is the CISO, the most important of all the many hats a CISO must wear. This is not to say that the CISO will have the authority to make all the decisions. In most successful exercises we have seen, the CISO plays an influencing rather than a determinative role in bringing the senior team to alignment on the best path forward, considering the various trade-offs across the business.

Although specific governance models often focus on the definition of where authority and accountability reside, we have seen many RACI (responsible, accountable, consulted, and informed) charts become paper exercises unless there is a truly shared understanding of objectives and priorities at the top.

Basing budgets, metrics, and resources on an agreed set of objectives maintains alignment. Many organizations are far along in the OT security journey without realizing they have yet to achieve clear alignment at the top. In most cases, the best choice is to reset and ensure the team takes the time to establish this basis of understanding, or future progress may slow.

2. Go with the flow of the current organizational style, not against it

One of the most successful OT security executions the Verve team witnessed came from a utility holding company with a culture of business-unit independence and ownership of results. The company’s incumbent governance model uses the classical distributed business-unit P&L ownership model made famous by Emerson Electric, Illinois Tool Works, Danaher, and many other industrial companies over the years. The principle is to make clear accountabilities around the “what” – i.e., targets and objectives. Then, let the management of each business unit have full authority as to the “how” – i.e., strategies and tactics to deliver.

In the case of cybersecurity, the senior team established a very clear, top-down directive as to the objective and standards they expected each business unit to achieve – in this case, the CSC top 18 controls – down to specific maturity levels by each sub-control. They put a company-wide review process in place to ensure progress to the objective.

The CISO was very involved in helping shape both the objective and the process. Then, the “how” was left to each business unit. Decisions such as what tools to deploy, how to balance compensating controls, the specific approach to achieving least-privilege settings, specific approaches to incident response, etc., came down to the business unit but within an overall construct of a set of objectives and metrics.

I can already hear the complaints with this approach: duplication of effort, inefficient use of underlying tools, not applying corporate best-in-class approaches to each business unit, need for duplicate cybersecurity expertise in a world where cyber talent is limited, too focused on a set of standards rather than real “security” and reduction in threats or time to remediation.

All of these limitations are absolutely true and addressed through other measures. However, the organization did not have a culture of centralized experts or top-down directives of shared tools or infrastructure. To create such a model would have meant going against the primary mode of operation for the organization. Had the CISO tried to push in this direction, he most likely would have ultimately failed because it was not in the organization’s DNA.

He knew that no governance model was perfect. Successful OT security leaders take the time to understand the overall governance culture of their organizations and build a model that works with the flow rather than trying to force-fit a theoretically better governance model. Then, they address the gaps unique to that approach to ensure manageable limitations.

3. Follow the money

One of the most challenging aspects of cybersecurity governance is ensuring budget alignment with accountability. In many organizations, cybersecurity-related spending is distributed across the company – plants may be responsible for the budgets of their OT systems, including updates, patching, and management; corporate IT, however, may manage the budgets of network gear and possibly segmentation; the CISO may manage to spend on security-specific initiatives such as anti-malware or monitoring logs for threat detection; HR may have the budget for training and awareness development; and facilities management may be responsible for the building systems such as warehousing, chillers, freezers, etc. which may be critical to operations. In this kind of distributed environment, capturing current spending related to cybersecurity and prioritizing additional spending on new protective or detective measures is difficult.

We have seen clients adapt to this situation in different ways. Some have created a shadow accounting system aggregating spending from different business units into a holistic cybersecurity budget. Others have established clear objectives and asked business units to achieve them while managing their overall budgets in line with typical year-over-year increases, essentially making spending trade-offs on cybersecurity vs. other items. Still, others manage security compliance at a plant-by-plant level and ensure that the budgets for the plants take into account cybersecurity as one key element of its metrics.

Whether they use one of the models above or some alternative, organizations first need to gain visibility to total cybersecurity spend and second to align budget authority with security accountability to manage risk effectively.

4. Adopt operations’ use of balanced scorecards and KPIs

Successful operations organizations run on metrics, targets, detailed procedures, and tactical results monitored on an hourly, daily, and weekly basis. cybersecurity objectives are often subtle or aspirational: reduce vulnerabilities, identify potential malware, identify attackers, improve incident response by X%, etc. Successful OT security approaches will work with the flow of operations management and transform these subtle objectives into very tactical targets and metrics that can be shown on simple red, yellow, and green charts.

One Verve customer adopted the NIST CSF as their cybersecurity framework and went to the next step and implemented a set of measures that could be tracked weekly, monthly, and quarterly. Each control area had a set of targets and metrics (e.g., number of critical patches not deployed, number of machines without a backup in the past week, number of false-positive alerts, time spent by operational personnel responding to false alarms, etc.).

Importantly, they treated the corporate SOC that was analyzing threat data as if it were an upstream supplier of material. They were held to targets relating to threat detection quality and timeliness. These data were shared regularly between operations and the SOC to ensure the teams were accountable to one another. When items were not “in the green,” remediation plans were put in place, as they would be if it were a product quality or throughput metric.

Operations are used to manage a balanced scorecard of KPIs beyond just production volume and cost. They already manage occupational safety, environmental quality, product quality, etc. in parallel to their operational metrics. By working with the flow and making cybersecurity an additional element of that balanced scorecard, organizations can align accountability with the authority to assign resources and take action.

5. Get tactical

The NIST Cybersecurity Framework contains five core areas and 98 specific subcategories. CSC 20 has over 140 sub-controls. It is impractical that a high-level governance model will succeed across all these sub-elements. Just as operations do, the team needs to build detailed procedures identifying accountable parties and their levels of authority around specific deliverables.

Governance tends to break down at the micro-level. For instance, in the identified component of NIST CSF, who is in charge of maintaining the asset database with the required information? The IT team may believe it should do so, but OT may argue that running the IT tools on the OT networks is not safe or appropriate. Furthermore, in some organizations, the asset information required at the plant level may be well in excess of what is necessary at the corporate from a cybersecurity management point of view. In another example, the decision to patch a critical device immediately, leave it until an outage, or perhaps leave it semi-permanently until the device can be upgraded is a debate we see almost daily with our clients.

In critical operations where a wrong – or perhaps even a correct but delayed – decision can lead to lost production, injury, or even death, these detailed decision rights are critical to assign upfront. Successful operators take the time to document in detail not only the decision rights but also who will take the necessary actions in areas such as maintenance or quality.

In summary, effective OT security governance hinges on a tailored approach, balancing authority and accountability within an organization’s unique context. The key lies in aligning leadership at the top, integrating cybersecurity into the existing organizational culture, and ensuring that budgeting, metrics, and tactical actions are closely aligned with security objectives. This approach, informed by the principles of strategic and operational governance, enables organizations to adapt swiftly and effectively to the evolving cybersecurity landscape, enhancing their resilience against threats in operational technology.