Integrating Compliance into OT Security
The recognition of the importance of compliance translates to much more than a “need to have.” When set up properly, it improves security.
By Rick Peters, CISO for operational technology, North America, Fortinet
Though compliance is yet another item for OT leaders to be concerned about, it’s critical to security and to business enablement. But compliance can mean different things, and it’s difficult to know where to start and what to track. Getting the right security architecture in place is an important starting point. However, it extends beyond there to automating not only compliance tracking and reporting but notifications of intrusions and/or breaches and their remediation. By doing this, compliance can actually be less burdensome and more of an opportunity.
Rising importance of security
When attacks arise against operational technology (OT) environments – including assembly line systems, valves and pumps, thermostats, pipelines and other control systems – the impact can certainly disrupt operations and negatively impact productivity but also cause ecological damage and compromise human safety.
What’s troubling is that 56% percent of organizations using industrial control systems (ICS) not only report experiencing a breach in their OT systems during the previous year, but 97% also acknowledge that many of these security challenges were the direct result of their IT/OT convergence efforts. Security is not only essential, but it can also go hand-in-hand with compliance – in fact, there’s a symbiotic relationship between the two.
Grappling with compliance
OT professionals have to deal with a variety of different regulations depending on the sector, especially those in critical infrastructure. One example is the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP), aimed at securing the assets required for operating North America’s bulk electric system. But there are also regionally specific challenges like the California Consumer Privacy Act, which applies to any company doing business in California and places strict regulations on protecting consumers’ personal data.
People often view compliance as a costly exercise that is difficult to quantify from an ROI perspective. But if you think compliance is tedious and expensive, try non-compliance. The legal, financial and reputational ramifications just aren’t worth it. Once you look beyond the perceived frustration, compliance reveals itself as a critical security linchpin and business enabler. In fact, the key discovery would be that compliance is an effective means for enhancing protection and tracking and reporting on security measurements that matter.
Compliance and security go hand-in-hand
Employing the right security architecture in place is an important starting point. Closely considering data and how it is used helps enable organizations to define their current risk and proactively ensure they have the right security processes and architecture in place to address compliance requirements. Achieving compliance means proactively strengthening your security posture, which is far less expensive than recovering from a breach, ransomware attack or operational outage.
Compliance extends beyond infrastructure to include automating not only compliance tracking and reporting but notifications of intrusions and/or breaches and their remediation. Manual aggregation and interpretation of compliance indicators across disparate security systems simply takes too much time. Even if a security leader has an infinite resource budget, it is almost impossible to recruit and retain all of the cybersecurity talent due to the acute cybersecurity skills shortage. Instead, automated tracking and reporting of compliance frees a security team to focus on strategic initiatives rather than tactics.
Automated reporting and notifications not only help the security team to stretch limited resources but help ensure regulatory compliance. Take GDPR as an example. In the event that critical assets and data are breached, security organizations must send a notification within 72 hours or face substantial fines. With the appropriate controls in place and the ability to shrink intrusion-to-detection windows, organizations can automate breach notifications and even the remediation process.
A happy tech marriage
Compliance is far more than a mandated or laborious chore. Regulations and standards offer valuable insights into the security factors that should be measured. In the case of security standards such as NIST Framework Compliance, organizations can codify security benchmarks and best practices and then measure their risk posture against those—proactively making improvements in areas needing remediation.
Achieving compliance is extremely difficult for a security organization lacking a comprehensive architectural approach. A starting point for a winning compliance strategy is the adoption of an integrated security architecture that addresses the entire attack surface while integrating all of the security elements. It also means that certain security processes are automated, eliminating manual tasks and speeding detection, prevention and remediation. When compliance is viewed as a key component to enterprise security, it enables commitment from stakeholders and cybersecurity resilience is the measurable outcome of greatest value.
Mr. Peters is the CISO for Operational Technology, North America for Fortinet Inc. delivering cybersecurity defense solutions and insights for the OT/ICS/SCADA critical infrastructure environments. He is charged with overseeing growth of Fortinet’s penetration into the largest global OT marketspace. That charge entails identifying and partnering to gain traction on existing OT business campaigns as well as targeting emerging customer opportunities.
Immediately prior, he served as the Director Operational Technology Global Enablement for Fortinet. In this capacity, Mr. Peters enabled OT business growth by partnering with Fortinet OT Security, Sales and Marketing counterparts. The success realized in EMEA and APAC over two years keyed recognition and a strategic transition to focus on North America as the largest target marketspace in 2020.
Prior to joining Fortinet, he served the U.S. Intelligence Community for more than 37 years imparting cybersecurity and global partnering experience across foreign, domestic, and commercial industry sectors at the National Security Agency (NSA). He led development of cyber capability against Endpoint, Infrastructure, and Industrial Control System technologies at the agency.
Before that role, he partnered as an executive leader supporting the Information Assurance Directorate at the NSA. Mr. Peters also served in a broad range of leadership and Engineering roles including Chief of Staff for the NSA Cyber Task Force and a 5-year forward liaison charged with directing integration of cyber and cryptologic solutions for U.S. Air Force Europe, Ramstein AFB, Germany.
Mr. Peters is a repeatedly published OT Security thought leader and a frequent speaker at global industry events. He holds a BS in Electronics Engineering and an MS in Engineering Management from the Johns Hopkins University.