InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
This article discusses OT security and why it is essential for protecting industrial systems from cyberattacks. We will also discuss common control objectives that can help companies improve their overall cybersecurity posture by implementing effective OT security measures.
Supply chain risks are compounded for organizations that must protect both their IT and the OT from cyber-attacks. What technologies and approaches should they consider implementing? What specific pitfalls should they avoid, and how?
Most third party risk programs are IT-focused – including suppliers that have access to the organization’s intellectual property or network. But some OT suppliers have access – physical and remote – to the OT environment, for troubleshooting, maintenance, etc., and it’s important that the risk posed by those suppliers is included in the enterprise third party risk program, since remote access to OT poses obvious security risks, and on-site access often involves USB drives and other direct electronic access which also can introduce malware into the OT environment. The good news is that these vendors can simply be included in existing third party risk programs.
On the other hand, more and more suppliers are being impacted by ransomware hitting their OT environment. This impacts their ability to provide their products and services to their customers, which can in turn impact their customers’ operations. Therefore, the scope of third party risk programs needs to be broadened once again to include critical suppliers in OT – those whose products or services are critical to the organization’s own OT operations. Now the bad news: existing third party risk programs typically do not assess security risk in OT environments. In fact, although frameworks and best practices are emerging in OT security, organizations usually need to rely on OT security experts to assist in these assessments and remediation recommendations.
Finally, we have seen increasing cyber attacks against the software supply chain, as well as attacks targeting vulnerabilities in critical OT products. When choosing suppliers of critical OT products, it is important to determine whether the vendor is certified to ISA/IEC 62443 – the leading security certification in OT. Those certifications should be an important factor in choosing products for the OT environment.
