What are the key cyber security challenges facing Operational Technology (OT)?

Security & GRCOperations Management
662 viewscircle icon1 Upvotecircle icon2 Comments
Sort by:
CISO in Software4 years ago

Keeping the machines from talking to each other is a complicated problem, especially for devices like that. They're in a lab environment and in the past, presumably, most of the gear wasn’t not accessible to the world. But they are accessible to each other, so if a virus gets in it can still spread from machine to machine to machine. 

So securing that depends on the use case. Do those machines need to talk to each other? If they do, then you have to have some kind of antivirus layer or inline filtering to look for malicious behavior and stop it. But even that's not foolproof because it's really hard to stop that stuff on the wire as they tend to be encrypted, especially in this day and age.

Lightbulb on2
vCISO and COO in Software4 years ago

I worked in biotech for 15 years and we've always had these labs with very expensive sequencers and robots, etc., which are hooked up to Windows XP machines that I couldn't put AV on. I couldn't patch them or do anything else to them because it wouldn't work with the firmware on the robot if we did that. We had to figure out all kinds of ways to protect those things not only from the internet, but from each other so things wouldn't spread.

Lightbulb on1

Content you might like

Does your organization leverage an Enterprise Architecture Solution/Tool for EA Practice?

Yes76%

No17%

We are in the process of selecting an EA tool8%

View Results

What are the roadblocks to AIOps at your organization?

Lack of qualified talent44%

Improper data management54%

Lack of cultural readiness56%

Business value is unclear to leadership28%

Cybersecurity risk potential19%

View Results

Do you have a lock out policy for system accounts? If so, how many attempts do you have it set too? 

Have you considered not having a lock out policy where accounts are vaulted / rotated & standing access is removed?

As part of our NYSE IPO prep, we’re debating how to communicate our system hardening efforts in regulatory disclosures (e.g., SEC Form 20-F, SFC).

Would you recommend sharing % compliance (e.g., “85% CIS Tier 2”) or sticking to qualitative descriptions of how we identify and mitigate risks? Also, do SFC/ISO 27001 expectations require full ISMS integration, or is a % model acceptable?

We’re preparing for an IPO on the NYSE as a Foreign Private Issuer and evaluating CIS Benchmarks to measure OS and database hardening.

Our proposed tiers:
• Tier 1 (70–80%) baseline
• Tier 2 (85–90%) for sensitive data
• Tier 3 (95–100%) for mission-critical systems

Is 80% compliance defensible for IPO due diligence with SEC or SFC? Should Tier 3 be considered mandatory for critical systems? And can compensating controls (e.g., PAM, microsegmentation) offset gaps in legacy environments?