There are reputable companies that can perform IT cyber assessments, but not many trained in operational technology (OT) cyber threats and architecture. Many can do the IT cyber threat assessment, but the OT cyber threat assessment can be a little tricky.
This requires network professionals to understand how the system provides an output and the importance of that product. Sometimes the product is protection of human life. Cybersecurity assessments are not a one-time event; rather, they are a perpetual monitoring of a system to know all devices attached and how each performs.
Most OT systems use protocols that are not common in the IT system. Having devices that can communicate with the multiple protocols can be both a blessing and a curse. The protection of that device needs to cover every way an intruder can attack, which also includes a physical attack. The assessment organization must understand those attack vectors and how to prevent them.
Cyber assessment in the OT space is significantly different than the IT space due to these devices and protocols that are unknown to traditional IT assessments. Security integrators are learning new market lingo to offer services that can accurately assess systems. Another issue is the integrity of the assessment. Most end users will want separate organizations doing the assessment and performing the mitigation. That way, multiple experts will be reviewing the same problem and offering different ideas for mitigation.
It’s generally accepted that hardware devices for cybersecurity are better than software. But keep in mind, software will solve many problems, but can be defeated. As mitigation is performed, the end user will need to provide their risk-averse level to make the ultimate determination for cyber protection.
Anixter’s Bob Dolan is Director of Technology and David Cronk is Technical Director, Physical Security.
