Building Cyber Resilience for Your Operational Technology Network

May 8, 2023

As recent cyberattacks have demonstrated an increased risk to both IT and operational technology (OT) environments, resilience readiness has evolved. It is more than a cybersecurity strategy and involves the enforcement of rules and policies that provide the visibility, control and situational awareness to respond at the speed of business while ensuring that safety and reliability are maintained.

 

Fortinet’s CISO for Operational Technology, Willi Nelson, shares his perspective on considerations when developing cyber resilience, covering fundamentals and strategic planning to protect the convergence of IT and OT environments.

 

 

What does cyber readiness look like in OT environments?

Willi: In light of recent events spanning the last three to five years, there has been an uptake in readiness and awareness within the industry. From pipelines to pharma and transportation, boards are becoming involved in that discussion, which turns the readiness discussion away from just, “are we prepared?” to now reporting on it. For example, some organizations have a dedicated individual that is working specifically on readiness across the organization. They are responsible for understanding whether threats are real and/or critical, but also what they should be doing and who they should call.

 

 

In your opinion, what is the most important piece of cyber resilience for OT organizations?

Willi: It’s all about awareness. The leadership, including boards and executives, is starting to have more awareness of their manufacturing facilities and operations. Security is becoming everyone’s problem. I think from an OT perspective, it’s back to partnering with your operation centers so they know what threats are real and what’s not. Automation engineers are extremely smart and very capable, but typically operation centers don’t communicate with them. It is crucial that communication opens up between automation engineers and operators to determine an appropriate response. To some extent, it’s people, process and technology, which goes back to fundamentals. We must communicate and understand what is being dealt with. For example, if I do X, how does that impact the business? The process has to be dynamic. As threats change, your response plans are going to change as well.

 

 

How can an organization gain more control and mitigate risks to improve their cyber resilience?

Willi: From an inventory perspective, it starts with knowing what assets your organization currently has. Without visibility into your current assets, you can’t know what your inherited vulnerabilities are. If you have an asset that has never been patched, and it’s not on your list of current assets, you’re never going to get to it. When dealing with new vulnerabilities, you should ideally have visibility into all of it. You should be aligned with the business and operations, your architecture and engineering teams should be talking and you should be partnered with security vendors. Once you’ve achieved this, you have progress.

 

 

What does successful cyber resilience look like as it relates to business continuity plans?

Willi:

 

  1. First and foremost, partner with the business. You need to know what the impact is to the business and if you are willing to take that risk.
  2. Then, going back to the fundamentals of communication, it’s important to make sure your teams, small or large, are functional. These players need to be prepared.
  3. Lastly, once you have a workflow you need to be dynamic and able to adapt when necessary. You need to understand that threats are going to change and will come from a direction you aren’t prepared for — that’s the nature of the business. “Train the way you fight, fight the way you train.” Everybody needs to be ready to help each other.

 

When thinking about cybersecurity solution investments going forward, what recommendations would you give to OT leaders?

Willi: When discussing solutions with OT leaders, I usually mention some of the core items which can help build a foundation for the future. For example, I encourage them to consider segmentation to help control OT/IT convergence as it gradually increases. In addition, regardless of the state of current cybersecurity planning, it is important to remain focused on a journey to integrate disparate products into a platform approach, a cybersecurity mesh platform. Also, OT organizations should incorporate zero trust network access (ZTNA) into cyber plans. Even if not all employees are working remote, ZTNA has cybersecurity benefits across the extended network.

Willi Nelson
Fortinet Field CISO for Operational Technology (OT) | Fortinet
Willi joined Fortinet as the CISO for Operational Technology in August 2022. He brings more than 25 years of experience in Information Security working across industry verticals such as Healthcare, Telecom, Financials, Manufacturing, and Life Sciences. Most recently with GlaxoSmithKline (GSK), he established and directed the Global OT Infrastructure Security team charged with monitoring and protecting the OT assets for GSK. Globally, the team deployed 43 additional controls across the OT landscape assessed against NIST CSF and aligned business units to embrace a unified model for security, incident response, and risk reporting. During Willi’s tenure, he also oversaw the creation of the Security Organization and the Global Cyber Defense team for GSK’s Consumer Health startup (now called Haleon). Beyond building and leading the OT and Consumer Health security teams, he led the security team responsible for Cloud transformation for both IT and OT. Willi relies on a pragmatic and systematic approach to achieve company goals while also maturing the organizations and teams he leads. Willi is a graduate of Rockhurst University in Kansas City, MO, USA and holds a CISSP (Certified Information Security Professional) certification in good standing. Willi lives in NW Arkansas with his family. He’s an avid outdoorsman, cyclist, woodworker, and veteran.

Optiv Security: Secure greatness.®

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.