Overcoming Objections to a Secure Industrial Assessment
The scenario: You work at an organization that relies on a large operational technology (OT) environment to drive its business. This environment lacks visibility into the full inventory of OT devices, how they all talk to one another, and how they are accessed remotely. You realize these shortcomings all add up to significant business risks that need to be addressed. There is budget available for a Secure Industrial Assessment, and like many company stakeholders aware of the increasing cyber attacks against industrial control systems (ICS), you see the value in getting the assessment done. However, your organization is big and has many stakeholders, and there are differences of opinion on how to spend the budget.
Here are the top objections you’re likely to hear from internal stakeholders, along with powerful counterpoints you can respond with so you can move forward with the assessment.
- “We don’t want a third-party consultant in there accidentally breaking stuff. It could delay production or impact our team’s safety.”
Any reputable ICS cybersecurity service provider’s team should have decades of experience and understand it is vital to be completely non-disruptive when working in OT environments. Their process will be based on interviews and passive monitoring tools to inventory assets, determine communication flows, and identify vulnerabilities. This approach eliminates the operational risks and safety impacts that may arise from conventional IT vulnerability scanning tools.
- “Our organization doesn’t have time for this. Our team has other priorities.”
It’s true that an assessment takes up some of the organization’s time and focus, but once initial discovery sessions are finished, a good Secure Industrial Assessments team can take it from there. At most sites, passive scans can be finished in one to three days, with final reports typically requiring only two to four days to complete. Ultimately, the detailed insights into your OT environment’s inventory, interconnections, and the related risks to your industrial control systems are worth the modest investment of time and energy from your team.
- “Now is not the time. We can’t risk production delays and we won’t be able to act on the results any time soon.”
A proper Secure Industrial Assessment that uses passive monitoring cannot cause production delays because it consumes no processing power or network bandwidth from the systems it scans. If you’re unable to perform remediations any time soon, conducting a Secure Industrial Assessment now will provide a road map for when your organization is ready to move forward, as well as a comprehensive asset inventory that saves you time and effort on future projects. And bear in mind: if your OT environment has serious vulnerabilities, a cyber attack that exploits those vulnerabilities could yield impacts far worse than production delays.
When layering in security to industrial control systems, it’s important for those with an IT background to understand that the reactive approach administrators can often get away with on an IT network simply does not apply to OT environments. Consistent uptime is always the priority with industrial control systems, so the update/upgrade windows for these environments are few and far between.
At iON, our Secure Industrial Assessments help you take advantage of the ample lead time between maintenance windows by providing guidance toward creating a defensible OT architecture.
The key components of a defensible OT architecture that we help you to implement are:
- Proper Segmentation – A properly segmented architecture not only aids attack prevention but serves to limit the impact of successful attacks, providing your OT team with a means of containing attacks and accelerating recovery from them.
- Improved Visibility – OT attacks often have nothing to do with exploiting specific system vulnerabilities as in IT, instead they frequently involve attackers navigating through the target OT systems and changing the settings of these systems to result in disruptive, or even destructive, outcomes. We help you apply the principle of Active Defense, incorporating measures that better enable effective monitoring by your people to help spot anomalous or malicious activity.
- Zero-Trust Principles – We help you ensure that only those who need to access your OT systems get access to them, providing practical, actionable guidance on Centralized authentication, authorization, and logging, and Secure Remote Access.
If your organization wants to improve or evaluate its ICS cybersecurity, iON brings over 75 years of combined experience in securing industrial control systems into every Secure Industrial Assessment we provide.
We are here to help you keep your business safe: https://www.ionunited.com/contact/
You might also like
iON Celebrates its 20th Anniversary in Cybersecurity
CALGARY, AB, March 2023 – iON United Inc. (iON), a leading cybersecurity solutions provider in Canada, is celebrating its 20th anniversary this March. Since its inception, iON has been at the forefront of the cybersecurity industry in Canada, helping organizations protect their valuable assets from cyber threats. This 20-year milestone is a testament to our…
Employee Spotlight: Meet Whitney Melrose
iON is excited to shine our Employee Spotlight on Senior Manager, Inside Sales – Whitney Melrose.Meet Whitney MelroseShaped by her early experiences growing up on a farm in Saskatchewan, Whitney’s professional work ethic was formed from essential values instilled in her upbringing.My love for helping others in my career came from helping my family on…
Employee Spotlight: Meet Laurence Bullivant
iON is excited to shine our Employee Spotlight on Senior Network Architect, Laurence Bullivant.Meet Laurence BullivantLaurence travelled round the world before landing in Canada and working for iON. Originally from New Zealand, he studied Computer Science at university, where he excelled in his courses and grew his knowledge. In his second year, he decided to…