OT Perspectives: Understanding the Market Today

The last few years have witnessed intense interest in cybersecurity as an issue for Operational Technology (OT) environments. Distinct from Information Technology (IT), its better-known and usually better-funded corporate cousin, OT is the preserve of industrial control systems. For a generation, OT and IT were largely separate spheres, subject to (actual, functioning) air gaps and proprietary technologies.

Increasing rates of Internet connectivity, coupled with the use of more standard platforms like Linux and Windows in OT have made industrial systems more susceptible to hacking. In response, OT security has come into the mainstream. The process has been grudging at times, subject to corporate turf battles and cultural differences between IT security and OT security groups.

For vendors, the big question has been “who is actually buying OT security services?” While most, if not all, OT managers understand that security is important, not all OT departments are investing in security at the same rate.

For vendors, the big question has been “who is actually buying OT security services?”

This was on the minds of executives from Claroty, an OT security provider, whom I met at RSA. They see a number of factors driving OT security budgets.  Digital transformation is one, according to David Weinstein, Claroty’s CSO. “If you’re building your value proposition and basing your entire corporate strategy on technology, you will want that technology to be secure,” he said.

From Weinstein’s perspective, the three main drivers of OT security projects are threats and experiences, compliance and top-down mandates. “If you’ve had an incident already, you’re going to be sensitive to the issue of security,” he noted. He added, “Compliance has always been relevant, as well, but recently we’ve seen a change in attitude. It’s no longer about checking boxes and getting it over with. People want to be confident that they’re secure. There’s too much riding on it.”

“Compliance has always been relevant, as well, but recently we’ve seen a change in attitude. It’s no longer about checking boxes and getting it over with. People want to be confident that they’re secure. There’s too much riding on it.” – David Weinstein, Claroty’s CSO

Interest in OT security varies by industry, as well. Buildings and smart cities are a natural fit for OT security programs, but they are not as active in their realization as oil and gas companies, electrical utilities and manufacturers.  This makes sense, according to Weinstein, because there is a quantifiable monetary impact to an incident or outage.

“If you have to replace a multi-billion-dollar aluminum smelter because of a cyberattack, for instance, you will be quite focused on keeping that machine secure,” he said. “You don’t want to be the person who has to tell the CEO, ‘Sorry about that patch management problem… you know the one that cost the company two billion dollars to fix.’”

“You don’t want to be the person who has to tell the CEO, ‘Sorry about that patch management problem… you know the one that cost the company two billion dollars to fix.’”

Identifiable financial consequences have brought board-level attention to OT security. “Boards are seeing the value of OT security because they understand that costs, in hard dollars but also brand value and public relations,” Weinstein said. “They want safety and security, for its own sake, but also because it’s the right call for the business.”