PREDICTIVE INTELLIGENCE
�
Addressing cybersecurity risk management in OT networks
Critical industries understand risk management well – but cybersecurity risk is different and needs to be treated as such .
Specified capabilities and even budget for OT and ICS environments are often scarce , which can lead to unclear cyber plans left to site managers or network admins . Further , penetration testing in these areas can be restricted to basic port scans or high-level assessments .
It ’ s important that suitable assessments – such as passive discovery and monitoring – and appropriate methodologies for quantifying risk metrics , such as Annual Loss Expectancy ( ALE ) or Single Loss Expectancy ( SLE ), are applied . This can help ensure reliable data is used to make risk-mitigation investment decisions and to apply effective strategies .
Threat intelligence sharing
Sharing actionable and timely threat intelligence is crucial to defending against cybersecurity threats . Australia primarily uses a combination of intelligence gathered by the US Cybersecurity and Infrastructure Security Agency , alongside intelligence from the Australian Cybersecurity Centre ( ACSC ).
Locally , we lack a focus on OT and ICS resources , with most of the attention
A key element missing from the paper is skills shortages – this is already an issue in IT cybersecurity , but it ’ s particularly prevalent in the area of OT . given to the better-known area of IT threats . This is not a fair reflection of the threats each set presents , and this paper should be leveraged to reduce the divide .
To do that , the government should mobilise agencies and alliances to monitor the global threat landscape and create a collaborative threat-sharing community between operators , vendors , researchers and themselves .
Sector-based cybersecurity maturity frameworks
A one-size-does-not-fit-all theme is emphasised throughout the DHA ’ s paper as critical infrastructure industries are substantially different from each other .
The sentiment is correct – but as it stands , industry-specific cybersecurity frameworks are rare . Energy is the exception here , and the Australian Energy Market Operator ( AEMO ) has focused on promoting operator selfassessments and enabling collaboration and intelligence sharing . A similar approach would help each critical industry develop a bespoke posture .
Third-party risks : OT / ICS automation vendors and vulnerability management
Vulnerability discovery and patching usually come up early in IT third-party risk discussions – naturally , this has transitioned to OT discussions too , but it ’ s not always the best approach .
Industrial organisations can achieve better initial risk reduction with approaches more suitable for a low maturity in OT / ICS cybersecurity .
These solutions include network and operational visibility , which is more cost-effective and has less impact on operations .
Unlike IT , where the process has matured over time , creating an OT patch management program is challenging for a number of reasons , including slower patch evolution , deployment in segregated remote environments ,
abandoned and unmaintained software and hardware and a lack of vulnerability disclosures , patch reliability and uptime requirements .
There is greater training and collaboration between vendors and third-party suppliers to ensure they are aware of the specific risks of OT and ICS , with a particular focus on network visibility . This should be addressed and encouraged in the paper ’ s final report .
Overlooking the skills shortage
A key element missing from the paper is skills shortages – this is already an issue in IT cybersecurity , but it ’ s
34 www . intelligentciso . com