Regulations and Cyber risks drive OT Security Adoption and Zero Trust Network Access

Vulnerabilities are becoming more complex

  • Multiple OEMs
  • A range of vulnerabilities, from hard-coded credentials to nonexistent or weak passwords
  • A range of exploitation options, from remote code execution to file/firmware/configuration manipulation
  • Systems impacted including safety-instrumented systems that are designed to protect human life

Current Security Tools are insufficient

  • Careful planning that needs to take place so as not to introduce more risk to production uptime in operations.
  • OEMs that play a key role in the operational phase of the life cycle of their products and have the burden to develop, test and roll out patches in tightly controlled physical process environments.
  • End users having an even heavier burden to know where these vulnerabilities are, and then determine whether patching, isolation, upgrades or a combination of these things make sense to their own custom-made operations.
  • Having to schedule deployment of patches and updates to coincide with scheduled downtime of the production process.
  • Unavailability of patches to OT systems for out-of-support OS.

Governments respond with new regulations (in addition to existing ones like IEC 62443)

  • The CISA “Shields Up” Campaign in the U.S., and similar efforts in other countries

     

  • Various directives from the U.S. Transportation Security Administration for pipeline and surface transportation operators:

     

    • Enhancing Pipeline Cybersecurity — SD-Pipeline-2021-01B

       

    • Enhancing Rail Cybersecurity — SD 1580-21-01

       

    • Enhancing Public Transportation and Passenger Railroad Cybersecurity — SD 1582-21-01

       

    • Enhancing Surface Transportation Cybersecurity — IC 2021-01 Pipeline Cybersecurity Mitigation Actions, Contingency Planning, and Testing – SD-Pipline-2021-02B

       

    • Pipeline — Table of Implementation Timeframes — Attachment 1 to SD Pipeline-  2021-02B

       

    • Information Circular (IC) to Enhance Pipeline Cyber Security (IC Pipeline-2022-02)

       

       

  • A new U.S. Cyber Incident Reporting law for operators of critical infrastructure

     

  • In the European Union, the upcoming NIS2 directive will increase security controls and incident reporting mandates across all EU countries.

Source: Gartner Market Guide for OT Security 2022