The year 2020 and all its implications had a significant impact on how organizations deal with their operational technology (OT) security. Similar to IT infrastructures, remote access has turned out to be a big challenge, but vendors in OT security reacted quickly. When it becomes difficult to deal with interruptions, resilience is more important than ever, but many OT organizations have not come terms with that yet.
According to the January 2021 Gartner’s Market Guide for Operational Technology Security report, “Gartner end-user inquiries suggest that, across all industry verticals except for the most highly regulated, about 60% of organizations are still in the awareness phase, about 30% are in the discovery to firefighting phases, and only about 10% are truly in the integration and optimization phases.”1
OT is the heart of an organization. This is where value is created. This is where an outage does not cause a loss in revenue only, but can cause a significant damage, to machines, to people, and to the environment. Incidents in OT cause a relatively large amount damage compared to average outages in IT environments.
Therefore, it really does not surprise me that operational resilience has gained importance during the pandemic, especially because on-premises troubleshooting has become difficult. Fortunately, OT organizations realized the new requirements quickly, and OT security vendors saw the opportunity and reacted with remote access solutions.
Considering those massive drivers for innovation in the past year, it surprises me a little bit that such a small percentage of organizations are in the integration and optimization phase of their OT security journey. While external regulations and compliance standards are drivers in highly regulated verticals, awareness in organizations with less external pressure is driven by innovation and incidents. In other words, in many cases something has to happen before organizations realize there is a problem.
Certainly, the pandemic was a driver for digitalization to compensate the lack of mobility. At the same time, ransomware is being adopted to target specifically industrial control systems, and there have never been more OT-related CVEs, not only because more research is being conducted and more security vendors are becoming active. Security vendors developing the market is in evidence that cybercriminals are doing the same.
Considering those trends and the statistics proving we are still at the very beginning of building cybersecurity solutions into OT and CPS, I think it’s fair to assume that quite a few organizations will have their “Oh wow” moment in 2021.
What’s that “Oh wow” moment? When something happens, organizations suddenly realize there are unmanaged devices everywhere, the network is flat and open, vulnerable devices and outdated software are all over, and there is no security at all. This is just the way OT networks were built over the past few. decades, and it is neither special nor easy to resolve. But is it concerning? Yes.
Moving forward after your “Oh wow!” moment
This moment of enlightenment is usually followed quickly by getting overwhelmed by all that needs to be done. If you are facing that situation, try to build a step-by-step plan and prioritize the actions. It is not possible to achieve 100-percent security immediately or with just one product, but it is important to begin to work on it. The first step is to define the initial situation, especially if the project was not planned appropriately. If an incident triggered the new initiative, the responsible people would need to get an overview first.
To fill the gap, it is necessary to combine IT security solutions with OT security requirements. That is a rather new field, and organizations struggle to find employees who understand both sides. Technology vendors have the same problem. While traditional automation technology manufacturers are still trying to get their heads around security and desperately attempting to find a way to position their solutions, most IT security vendors just try to serve this promising market without adopting to the specialized requirements.
And that is the challenge. Both aspects can be incredibly complex, and one cannot be addressed without considering the other. OT security solutions need to combine the best of both worlds. While next-generation security and remote access technology is key to combatting modern threats and defending against sophisticated targeted attacks and ransomware, a security solution that doesn’t consider OT-specific requirements can actually cause more damage than an attack.
Security has become important in the IT sector, but there is a lot of experience in this area and solutions are mature. That’s why I believe traditional IT vendors have an advantage compared to automation technology. Nevertheless, many things are different in OT. Availability is just one concern. A solution has to be implemented in the least invasive way possible because changes to existing systems are not possible or the result is unpredictable. The IT team has to understand that every little change has to follow a very structured and documented approach. There is no such thing as just trying things out in OT. What IT administrators tend to do on a Friday afternoon is not possible in OT. The combination of IT and OT is the key to success. The IT vendors that just try to resell their solutions into a new market without adopting to the requirements will not make friends there.
At Barracuda, we believe our IT security history is a big advantage because our solutions have state-of-the-art security technology built in. Since we launched purpose-built product lines for both OT and industrial IoT use cases a few years ago, there have been some lessons to learn. Our willingness to listen to customers and prospects and to adapt the solutions to the very specific requirements needed in this area has helped us succeed.
We believe our effort to build a high-profile solution made it possible to be named as a Representative Vendor of a specialized OT security solutions vendor in the 2021 Gartner “Market Guide for Operational Technology Security.”1 We feel this is a good reason to be proud, but no reason to rest.
1 Gartner, “Market Guide for Operational Technology Security”, Katell Thielemann, Wam Voster, Barika Pace, Ruggero Contu. Published 13 January 2021.
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.