Operational Technology (OT) environments have increasingly come into scope of cyberattacks as continuing IT/OT convergence has eroded the boundary between these traditionally segregated domains. Despite the network convergence, the convergence of thinking and understanding of risk as an enterprise-wide issue that transcends organizational boundaries has not kept pace.
You’ve heard me say this before, but it bears repeating: Hackers don’t care about checkboxes. They respect your org charts even less.
Like water through stone, attackers find their path of least resistance and exploit whatever weaknesses they find to achieve their objectives. Clarity of purpose drives their action.
What’s your objective? Make it through the week/month/year without winding up in the news for a major breach, so you can go onto the next gig, and the next one, riding the cybersecurity talent scarcity rollercoaster all the way to retirement?
We often hear, “think like an attacker.” That doesn’t just mean offensive tradecraft and social engineering, all the technical stuff. What it actually means is transcending the organizational, political, and governance boundaries, the artificial lines you’ve drawn around pockets of your enterprise, and trying to see your environment as the attackers do: as one big soft target just waiting to be plundered.
Despite record spending and investment into cybersecurity products and services, attacks are only getting worse. Although losing your critical business data sounds unpleasant, things get exponentially worse in the OT space.
Sure, having to switch to paper patient charts in the ER for a few days after a ransomware attack is nobody’s idea of fun. Neither is losing business because your point-of-sale systems went down hard. Yet, these scenarios pale in comparison to OT impact models: regions out of power, disruption of energy and food supplies, physical damage to critical infrastructure potentially leading to loss of life.
These aren’t hypothetical: Between BlackEnergy, TRISIS, and Colonial Pipeline, we’ve seen exactly how bad and how quickly things can go wrong when OT is the target.
What is the lesson? Convergence and Time. The sooner we erase organizational barriers and artificial silos that keep our risk management functions isolated and outgunned, the sooner we can achieve a unity of purpose and the clarity of mission on par with our adversaries.
The sooner we stop treating telemetry differently based on its source and recognize the simple truth that “data is data”, that there’s no “compliance data” and “security data”, the sooner we can enable true enterprise-wide risk visibility and management models that include all and serve all – equally.
Each enterprise must find its own path to convergence. Hopefully, before the next breach shows you what you missed while waiting for that other department to tell you a story from the last quarter.
Qmulos Converged Continuous Compliance™ empowers organizations to achieve unprecedented visibility into their risk, compliance, and operational security posture. We deliver innovative software solutions that enable customers to achieve operational cybersecurity risk management goals while meeting compliance requirements.
Q-Compliance and Q-Audit disrupt the legacy IT compliance and risk management markets and enable CISOs to realize that “doing compliance” on top of big data is the best way to dramatically improve security. Founded on a risk-based approach, we provide software for organizations to finally combine their operational security and compliance budgets, and align resources toward one common goal: better security, protecting against ransomware attacks.