Addressing New ICS/OT Cybersecurity Regulations

In the spring and summer of 2021, the United States and global governments issued several new regulatory initiatives in response to several very public ransomware attacks on critical infrastructure such as Colonial Pipeline, as well as lesser-known, government-tracked hacking attempts of other entities. The writing is on the wall that the future of OT cyber security is one of greater threats – and much greater regulatory scrutiny of protection and response.

This paper’s intent is to lay out the likely future scenario and how industrial organizations can make immediate progress while preparing their organizations for the coming deluge of industrial cyber security compliance requirements. This paper offers learnings on how to achieve a successful and efficient programmatic response to the current – and future – regulatory environment for ICS/OT cyber security.

These perspectives are based on practical experience. For the past 15 years, Verve Industrial has been on the front lines working with North American power companies to address the compliance requirements of NERC CIP. More recently, we have supported the response of multiple North American pipeline operators to the new regulatory requirements.

We have seen the challenges of addressing these more prescriptive cybersecurity requirements and understand how easy it is to become overwhelmed with the processes, complexity, and inefficiencies of this change. However, we remain confident and encouraged in managing cyber security regulations by the many organizations who successfully adapt and create efficient means to secure their environments and achieve effective compliance with regulatory requirements.