Source: Lev Dolgachov via Alamy Stock Photo

COMMENTARY

Boards of directors play an important role in managing the strategic risks faced by their organizations, particularly in sectors with high-risk operational technology (OT) environments such as energy, transportation, manufacturing, and production. Each of these industries relies heavily on OT — the hardware and software that controls physical processes and devices — to maintain safe, reliable operations, making them particularly concerned about cyberattacks. However, understanding and managing cyber-risks in OT systems can be challenging for boards, often due to the cyber-physical nature of OT and its integration with information technology (IT).  

The Primary Obstacles Boards Face in Evaluating OT Risks

One of the biggest challenges boards face is the wide gap between OT specialists and board members. Individuals with deep OT domain knowledge are often too far down the organizational hierarchy to directly influence board-level decisions. This disconnect can lead to a lack of risk awareness and understanding at the highest levels of the organization. 

Additionally, the chief information security officer (CISO), who typically manages enterprise cybersecurity risk, often lacks the specific expertise and training needed to manage cyber-risks in OT environments. OT systems have security vulnerabilities that are significantly different from traditional IT systems. This can result in OT cybersecurity being misunderstood, understaffed, and underfunded despite the potentially catastrophic impact of an OT cyber incident.  

To gain a true picture of OT risks, boards may consider appointing a dedicated OT cybersecurity leader to collaborate closely with the CISO. This role will often have executive-level visibility as well as the authority and resources to assess and manage OT security risks effectively. Just as companies have dedicated leaders for managing environment health and safety risks (EH&S) or financial risks, they also need specialized leaders for OT security. More companies are recognizing this need and are creating dedicated roles for OT cybersecurity leaders, signaling a positive shift in prioritizing OT security. 

Three Key Strategies Needed for Effective Decision-Making in OT Environments

Effective decision-making begins with recognizing that the consequences of an OT security breach are notably different from an IT security breach. While an IT breach might compromise data and financial assets, an OT breach can have serious consequences, including physical damage to equipment, disruption of critical processes, and even health, safety, and environmental impacts.  

To address these challenges, organizations must consider adopting a risk-based approach to OT cybersecurity. This involves following industry standards for OT risk assessment and management, such as ISA/IEC 62443-3-2, which provides guidance on partitioning OT systems into security zones and developing credible risk scenarios.  

By developing and analyzing risk scenarios, organizations can identify and prioritize the most serious threats to their OT environments. These scenarios can be ranked based on their likelihood and potential impact, using the same scale the company uses for ranking other risks, ensuring consistency and allowing the board to understand the relative importance of different risks in a broader organizational context. 

How to Achieve Strategic Cyber-Risk Management Across the Organization

Boards of directors that recognize the need for separate but aligned programs for IT and OT cybersecurity, each led by their respective experts, will be able to address the specific characteristics and risks associated with each domain. IT security focuses on protecting data confidentiality, integrity, and availability, while OT security prioritizes safety, availability, and process integrity. 

To confirm effective oversight and governance, boards can establish an OT Cybersecurity Governance Committee. This committee may include key executives from operations, engineering, IT, and finance, fostering cross-functional collaboration to make sure that OT cybersecurity is integrated into the organization's overall risk management framework. 

The Board's Role in OT Security

Boards and senior management must proactively address the growing cyber-risks in OT environments. This requires a multifaceted approach beginning with appreciating the unique challenges and risks associated with OT cybersecurity, including understanding the potential consequences of OT breaches and the importance of dedicated OT security leadership. Organizations will need to invest in building internal OT cybersecurity expertise and/or partnering with specialized external providers. This includes hiring skilled professionals, providing ongoing training, and leveraging external resources when needed.  

The next step is to develop a comprehensive OT cybersecurity program that includes elements such as risk assessments, vulnerability management, incident response planning, security awareness training, and continuous monitoring. The program will foster collaboration between IT and OT by sharing information, aligning security policies, and coordinating incident response efforts. With an evolving threat landscape, it's important to regularly review and update the OT cybersecurity strategy to confirm it remains effective, focusing on emerging threats, vulnerabilities, and best practices.   

By taking these proactive steps, boards can improve their organization's resilience against cyberattacks and protect their critical OT assets. Specialized firms can provide valuable guidance and support in navigating the complexities of OT cybersecurity, helping organizations align their security processes with business goals and achieve their desired security outcomes.  

Boards of directors have an important role in overseeing and managing cyber-risks in OT environments. By understanding the challenges of OT security, investing in dedicated expertise, and adopting a strategic and proactive approach, organizations can strengthen their defenses and safeguard their critical operations from the growing threat of cyberattacks.