The modern cyber attack surface is expanding rapidly. The past couple of years have seen the conversation shift from securing IT servers, networks and personal devices, to the threat posed by operational technologies (OT) – whether industrial control systems (ICS) in manufacturing, or the connected heating, lighting or CCTV systems found throughout any modern organisation.
"OT has historically been air-gapped from the network and thus semi-immune from cyber threats," explains Bojana Čukalevski, solutions design specialist, security and mobility solutions, Tech Data Europe. "Over recent years, the vast benefits brought by digitalisation have seen OT technologies being networked and connected to the internet. As a result, they make themselves vulnerable to cyberattacks."
One 2019 report from the Ponemon Institute and Tenable reveals that 62% of organisations in industries relying on OT experienced two or more business-impacting cyberattacks in the past 24 months.
Not only does OT provide a backdoor through which cybercriminals can access a company's network, but they are often enabled by a lack of visibility into any areas of potential threat. A study by Fortinet showed that 78% of organisations only have partial cybersecurity visibility into their OT systems, making it difficult "for teams to detect unusual behaviour, quickly respond to potential threats, and perform threat analysis".
"Traditionally, cyber security has been the domain of the IT team. However, with network-attached OT devices, which are often owned by the line of business (for example, operations, production or logistics), these teams are having to consider cyber threats for the first time," says Čukalevski.
This is a big challenge for an organisation, she notes, as many of the OT devices – such as a robot on a production line – might not come with any security built in. "The OT asset is even likely to be a legacy asset that has been retrofitted with networking capabilities. The first big demand is identifying the threats and then building a strong cyber security posture."
With IT teams struggling to secure this raft of new devices on the network, some Managed Security Service Providers (MSSPs) have already identified an opportunity to build or expand their practices to include OT security advice and implementation.
Datacentre specialist APC by Schneider Electric notes that a recent customer event focused on how its MSP partners can build a practice that includes OT.
"Today, connected devices and appliances require power, networking and security but many traditional OT integrators won't typically have the skills to connect and manage networked devices in-house. This opens the door for MSPs to manage the lifecycle of these deployed devices on their behalf," Jamie Bourassa, VP of IT channel strategy and Europe sales at APC by Schneider Electric, tells Channel Pro.
Elsewhere, cybersecurity vendor Radiflow recently launched a partner programme for MSSPs looking to offer OT cybersecurity services. Rani Kehat, Radiflow's VP of business development says it's important that IT-focused MSSPs be aware of the differences between IT and OT security, in terms of protocols, compliance and regulations specific to each OT industry, and also the physical operating environment of many OT-based operations.
"Vendors in coming years will be expected to allocate dedicated support and education for MSSPs," he tells Channel Pro. "In addition, security products need to be simpler to operate by non-cybersecurity experts. The offering itself needs to be modular to cater to the different needs of different types of end-users.
"Other than that, vendors need to realise that managed security is still a new concept for many industrial operators. As such they need to offer MSSPs adequate incentives to defray setup and end-user acquisition costs."
"Most industries have managed OT in a different realm than IT, maintaining separate technology solutions and governance structures, protocols and standards," says Joeri Barbier, global head of operational security at IT service provider, Getronics. "It's in the 'convergence' space between OT and IT that MSSPs will bring advantages to their customers, offering the right guidance and significantly reducing risk and cost."
The good news for partners is there are reports of a greater awareness of the security risks associated with OT among organisations. According to a survey by the SANS Institute, 46% of security pros say increasing visibility into control system cyber assets and configurations is a 2019 priority, followed by investing in general cyber security awareness programmes for employees including IT, OT and hybrid IT/OT personal (30%) and bridging IT and OT initiatives (27%).
"The most important thing for an MSP or MSSP trying to build an OT practice is to understand their customer," Čukalevski tells Channel Pro. "It's highly likely that when it comes to rolling out cyber security for OT solution in a business, an MSP will find themselves talking to department leads and senior managers, not IT staff," she says, adding the partner will need to communicate across marketing, pre-sales, sales, and support.
Čukalevski notes that partners will have to change their sales, marketing and training functions to reflect their new conversations across the organisation. This is where costs will be incurred for partners moving into OT, but it is also where distributors can help with technical training, sales training and strategic business enablement.
There's also an opportunity for MSSPs to partner with OT specialists to bring cybersecurity solutions to market. Says Bourassa: "Across all cases is that we are seeing an ecosystem evolve, where multiple players are coming together and taking a collaborative approach to delivering end-to-end technology solutions."
Whether acquiring the necessary skills or partnering with an OT integrator, there is a growing opportunity for IT security partners to build a practice that helps prevent their customers' OT systems becoming the weak link in their cybersecurity perimeter.
