“Are we secure” are three words that can strike fear into the hearts of many a cyber security professional. Especially if it’s being asked by the Board. And the response needs to be succinct. And can’t be backed by a whiteboard and the 600 page audit report.
Security is the management of risk, and risk is a hard thing to quantify. Of course it’s easy to state: Risk = Likelihood x Consequence. But both those parameters are infinitely variable. And the likelihood and consequence for you, is going to be different to the likelihood and consequence for me. To make it worse they’re both temporal. The likelihood and consequence you have today may be different to those of tomorrow. But wait! It doesn’t stop there! Your tolerance for risk today may be different tomorrow as well.
In the world of Operational Technology (OT), managing cyber risk is a delicate balance between understanding threats and preparing for potential consequences. Unlike traditional IT environments, where risks might involve data loss or system downtime, OT systems control physical processes—think industrial control systems, electrical grids, and rail safety systems. This difference makes OT cyber risk unique and, in many ways, more consequential, as failures can lead to safety hazards, loss of life, production losses, or environmental damage. The ASD’s Principles of Operational Technology Cyber Security (https://www.cyber.gov.au/about-us/view-all-content/publications/principles-operational-technology-cyber-security) has codified this as Principle number 1: “Safety is paramount”.
So, while risk is relatively straightforward to define, determining whether your environment’s “secure” is far more complex. A plethora of standards and frameworks abound such as those shown below, and while they provide excellent guidance, they don’t deliver a universal stamp of security because each organisation’s risk landscape is different:
While frameworks offer valuable guidance, they don’t dictate how secure you are because they can’t account for the specific context of your organisation. What’s considered an acceptable level of risk for you may be unacceptable for someone else. Organisation A, a small utility company, may have limited exposure and resources, while Organisation B, a large electricity provider, may face a much higher level of inherent risk and have different priorities for risk mitigation.
Additionally, risk is a moving target. The threat landscape changes rapidly, with new vulnerabilities and attack vectors emerging constantly. An organisation’s operational goals and risk appetite can evolve too. A company with a high risk tolerance today might lower it if an industry peer suffers a significant breach, or if there’s a significant change in regulatory requirements. This dynamic external environment can be at odds with the relatively static nature of the internal OT environment and underscores that OT security is not a one-time achievement but an ongoing process.
Standards and frameworks like NIST SP800-82 and ISA/IEC 62443 are invaluable as starting points. They provide structured approaches for identifying vulnerabilities, implementing controls, and assessing risks. For example, ISA/IEC 62443 is tailored to OT environments and focuses on securing industrial automation and control systems (IACS), making it especially relevant to industries like energy, manufacturing, and water utilities. NIST SP800-82, on the other hand, provides guidance on securing industrial control systems (ICS) specifically.
These frameworks act as guides and benchmarks, helping to establish a cyber secure foundation. However, they don’t provide a definitive answer to whether you’re “secure.” Instead, they help to manage risk by implementing controls that align with industry standards. They’re certainly a good starting point, but the controls you choose and the priority you assign to them must reflect your unique situation.
A critical first step in managing OT cyber risk is knowing what assets you have and their value to you. This might sound obvious, but many organisations lack a comprehensive inventory of their OT assets and their associated risk profiles. And not just the physical assets but the information assets. This concept aligns with Principle 2 of the ASD’s Principles of Operational Technology Cyber Security – “Knowledge of the business is crucial”.
Without this foundational knowledge, it’s challenging to assess where vulnerabilities exist and what measures are necessary to protect them. The ‘information assets’ component can often be overlooked, particularly given the obviously critical nature of the physical infrastructure. But in modern systems the physical infrastructure is monitored and managed by information assets, and this aligns with the ASD’s Principle 3: “OT data is extremely valuable and needs to be protected”.
The role of the adversary is also often overlooked. That’s not to say “an attacker” isn’t considered but rather the number and forms that those attackers could take. Are you defending against opportunistic Internet-based attackers (a.k.a. ‘script kiddies’)? Organised crime? Insider threats? Nation states? How many of each type of attacker who’d be interested in targeting you are there, and how many similar types of organisation are there that could be targeted? The risks that each pose can vary significantly, as do the controls needed to (in NIST CSF parlance) Identify, Protect, Detect, Respond, and Recover from their attacks.
While an opportunistic attacker may use malware that could impact on operations, it’s not always used in a targeted way but rather opportunistically across entire industry sectors or vulnerability types. For what it’s worth, it (probably) wasn’t personal.
But what about organised crime, nation states, or malicious insiders? These can sound a bit ‘James Bond’ but for many critical infrastructure providers the threat is real (you’re not paranoid if they really are after you). If an attacker has gained privileged access internally (which might be by bribing or coercing an internal employee) then the controls used to detect and protect against them may be quite different to those used against an opportunistic attacker.
Once you’ve got a grasp of your assets, you can use tools like attack tree analysis to prioritise controls effectively. Attack tree analysis is a method for understanding how a system could be compromised and identifying paths an attacker might take to reach a critical asset. By evaluating these paths, organisations can quantify the effectiveness of various controls and make more quantitative rather than qualitative decisions about where to invest limited budgets.
One such tool, SecurITree from Amenaza, is designed specifically to aid in attack tree analysis. With SecurITree, organisations can model potential attack scenarios and empirically assess how different controls impact overall risk. This approach allows for a data-driven perspective, helping to identify which controls reduce risk the most effectively and to justify security investments. It also allows for repeatability in the risk assessment process. Risk assessment can be very subjective and different practitioners will bring their own experience and biases to the table. Since SecurITree is data driven, any of the values, whether they’re derived from assumptions or actual data, can be updated as required. The IT department thinks their centralised SIEM provides a better security posture than the OT-specific one currently used? Model it and find out.
OT cyber risk management isn’t static. As the threat landscape evolves, so too must your approach to risk. While frameworks provide a consistent baseline, they can’t anticipate every emerging threat or the specific ways it might impact your organisation. Regular assessments and adapting your security posture to current threats is key to staying resilient.
In the end, the journey toward OT security is about understanding your organisation’s assets, risk appetite, and unique threat landscape. Standards and tools are critical to building a foundation, but the onus remains on each organisation to continually assess its security posture and adapt as necessary. By recognising that OT cybersecurity is a dynamic, context-specific challenge, organisations can take meaningful steps toward mitigating risk in an increasingly connected world.
True security in OT environments is about more than ticking boxes on a compliance checklist. While standards like NIST SP800-82, NIST CSF, and ISA/IEC 62443 provide structure and valuable insight, they’re not a substitute for understanding your organisation’s specific risk profile and appetite. Through asset identification, attack tree analysis, and a proactive approach to evolving threats, organisations can make informed decisions to protect their critical infrastructure effectively. Ultimately, OT cybersecurity is a journey rather than a destination—one that requires constant vigilance, adaptability, and a keen understanding of the risks that are unique to your organisation.
