Cybersecurity is a significant challenge for companies of all sizes and across all industries around the world. As challenging as cybersecurity can be with modern or cutting-edge technology, it is often harder to secure and protect legacy hardware and software—the devices and applications that drive manufacturing and form the backbone of our critical infrastructure—that were not designed with cybersecurity in mind. A group of vendors have joined forces to create the Operational Technology Cyber Security Alliance (OTCSA) to coordinate efforts to address this issue.
Cybersecurity for OT and ICS
Companies and individuals understand the importance of cybersecurity for the most part. Cybersecurity is a massive industry and organizations spend hundreds of millions of dollars every year on products and services aimed at minimizing risk, identifying and blocking exploits, and detecting and responding to cybersecurity incidents.
There is a growing risk, though, when it comes to operational technology (OT) and industrial control systems (ICS). OT and ICS hardware and software are used across industries such as manufacturing, utilities, oil & gas, logistics, and transportation. These devices control valves and pumps, and railroad switches, and other crucial functions that are part of our critical infrastructure. Exploits against OT and ICS systems can disrupt operations, reduce or shut down productivity, cause ecological damage, and even put human lives at risk.
Much of the underlying OT and ICS hardware and software are legacy devices that predate the era of cybersecurity. They were never meant to be networked, or accessible over a public internet. They were not engineered with any consideration of such exposure to risk, and they were not designed with any security controls to mitigate or reduce that risk.
Operational Technology Cyber Security Alliance
The crucial nature of OT and ICS systems, combined with the unique challenges of protecting legacy devices, led to the creation of the Operational Technology Cyber Security Alliance (OTCSA). ABB, Check Point Software, BlackBerry Cylance, Forescout, Fortinet, Microsoft, Mocana, NCC Group, Qualys, SCADAFence, Splunk and Wärtsilä have partnered to establish the OTCSA. The group is also open to new members from any company that operates critical infrastructures or operates OT systems to run its business (OT operators) as well as companies providing OT and/or IT solutions (solution providers).
The OTCSA mission is five-fold:
- Strengthen cyber-physical risk posture of OT environments and interfaces for OT/IT interconnectivity
- Guide OT operators on how to protect their OT infrastructure based on a risk management process and reference architectures/designs which are demonstrably compliant with regulations and international standards, such as IEC 62443, NERC CIP and NIST 800-53
- Guide OT suppliers on secure OT system architectures, relevant interfaces and security functionalities
- Support the procurement, development, installation, operation, maintenance, and implementation of a safer, more secure critical infrastructure
- Accelerate the time to adopt safer, more secure critical infrastructures
Philippe Courtot, chairman and CEO of Qualys, shared praise for OTCSA and appreciation for being part of launching the new alliance in a press release. “We are proud to be a member of the Operational Technology Cyber Security Alliance (OTCSA) and to work with other industry leaders to further the goal of bridging gaps in security for OT and critical infrastructures and industrial control systems (ICS). The time where individual companies provided security solutions that customers and operators had to ‘bolt on’ has passed. It is now about ‘building security in,’ which can only be achieved if we all work together, drastically reducing the growing cybersecurity risks as a result.”
Protecting Critical Infrastructure
As huge as the cybersecurity industry is, there has traditionally been very little attention paid to legacy OT and ICS systems. As important as our critical infrastructure is (it has the word “critical” right in the name), there has been a fair amount of reluctance to recognize the very real threats that face it, and apathy toward addressing the risks it is exposed to. It is awesome to see vendors come together to create an organization like OTCSA to coordinate efforts and collaborate to mitigate the risks and develop solutions to secure and protect our critical infrastructure.