Overcoming Objections to a Secure Industrial Assessment

April 14, 2022

The scenario: You work at an organization that relies on a large operational technology (OT) environment to drive its business. This environment lacks visibility into the full inventory of OT devices, how they all talk to one another, and how they are accessed remotely. You realize these shortcomings all add up to significant business risks that need to be addressed. There is budget available for a Secure Industrial Assessment, and like many company stakeholders aware of the increasing cyber attacks against industrial control systems (ICS), you see the value in getting the assessment done. However, your organization is big and has many stakeholders, and there are differences of opinion on how to spend the budget.

Here are the top objections you’re likely to hear from internal stakeholders, along with powerful counterpoints you can respond with so you can move forward with the assessment.

  1. “We don’t want a third-party consultant in there accidentally breaking stuff. It could delay production or impact our team’s safety.”

Any reputable ICS cybersecurity service provider’s team should have decades of experience and understand it is vital to be completely non-disruptive when working in OT environments. Their process will be based on interviews and passive monitoring tools to inventory assets, determine communication flows, and identify vulnerabilities. This approach eliminates the operational risks and safety impacts that may arise from conventional IT vulnerability scanning tools.

  1. “Our organization doesn’t have time for this. Our team has other priorities.”

It’s true that an assessment takes up some of the organization’s time and focus, but once initial discovery sessions are finished, a good Secure Industrial Assessments team can take it from there. At most sites, passive scans can be finished in one to three days, with final reports typically requiring only two to four days to complete. Ultimately, the detailed insights into your OT environment’s inventory, interconnections, and the related risks to your industrial control systems are worth the modest investment of time and energy from your team.

  1. “Now is not the time. We can’t risk production delays and we won’t be able to act on the results any time soon.”

A proper Secure Industrial Assessment that uses passive monitoring cannot cause production delays because it consumes no processing power or network bandwidth from the systems it scans. If you’re unable to perform remediations any time soon, conducting a Secure Industrial Assessment now will provide a road map for when your organization is ready to move forward, as well as a comprehensive asset inventory that saves you time and effort on future projects. And bear in mind: if your OT environment has serious vulnerabilities, a cyber attack that exploits those vulnerabilities could yield impacts far worse than production delays.

When layering in security to industrial control systems, it’s important for those with an IT background to understand that the reactive approach administrators can often get away with on an IT network simply does not apply to OT environments. Consistent uptime is always the priority with industrial control systems, so the update/upgrade windows for these environments are few and far between.

At iON, our Secure Industrial Assessments help you take advantage of the ample lead time between maintenance windows by providing guidance toward creating a defensible OT architecture.

The key components of a defensible OT architecture that we help you to implement are:

  • Proper Segmentation – A properly segmented architecture not only aids attack prevention but serves to limit the impact of successful attacks, providing your OT team with a means of containing attacks and accelerating recovery from them.
  • Improved Visibility – OT attacks often have nothing to do with exploiting specific system vulnerabilities as in IT, instead they frequently involve attackers navigating through the target OT systems and changing the settings of these systems to result in disruptive, or even destructive, outcomes. We help you apply the principle of Active Defense, incorporating measures that better enable effective monitoring by your people to help spot anomalous or malicious activity.
  • Zero-Trust Principles – We help you ensure that only those who need to access your OT systems get access to them, providing practical, actionable guidance on Centralized authentication, authorization, and logging, and Secure Remote Access.

If your organization wants to improve or evaluate its ICS cybersecurity, iON brings over 75 years of combined experience in securing industrial control systems into every Secure Industrial Assessment we provide.

We are here to help you keep your business safe: Contact us today