Compliance does not equal OT network security

Research reveals OT security leaders believe maintaining compliance with regulations is their top concern. Today’s threat landscape necessitates more.

One of the key findings from Skybox Security’s research report Operational technology cybersecurity risk underestimated by operational technology organizations is that ‘maintaining compliance with regulations and requirements’ is the most common top concern of OT security decision makers.

It is easy to see why compliance is a concern: mandates often change, are hard to interpret, and are often overwhelming. In the OT environment, security requirements and methodologies are many; for example, there are:

  • STIG compliance requirements
  • NERC CIP compliance
  • Compliance with FAIR Methodology
  • Cyber Value at Risk (CVAR) model

So, while compliance is the primary concern across many different functions, it is not — by itself — a silver bullet against bad actors. Why not?

Compliance is only one part of a bigger security picture

Compliance frameworks give insight into fine-tuning the technologies in place, but compliance is only one facet of security meant to explain how things are progressing for just that unique, specific area of concern. For instance, the focus of NIST 800-41 is just security controls and firewalls and only ensures compliance at a network’s perimeter and zone-to-zone access. That’s it. It does not address the entirety of an enterprise and its components. That’s hardly the full spectrum of security measures needed for user identity, virtualization, or container security.

What are some of the main reasons for the misconception that compliance is good enough? Part of that comes from standardization — a culmination of ratified thoughts. Like that old gum advertisement, “four out of five dentists recommend dentine for those patients who chew gum.” It’s not an absolute endorsement, but it lends credence.

Satisfying checklists does not ensure OT security

Many companies invest a lot of time and money on resources and technology to secure their environments, specifically meeting auditor requirements. When companies pass and satisfy the checklist, it can be easy to assume they have fulfilled the criteria and, therefore, must be safe. “We have the paperwork to prove it!” Unfortunately, this wishful thinking often leads to gaps in security.

For instance, the research revealed that security teams greatly underestimate the critical risk of a cyberattack to their crown jewels. For example, 56% of all respondents are highly confident that their organization will not experience an OT breach in the next year, yet 83% said they had at least one OT security breach in the prior 36 months. With regards to compliance, this says to me: “I’m compliant but continue to be vulnerable to breaches.”

Consider the phrase “you’re only as strong as your weakest link.” Imagine a square table and three of the four corners are monitored for compliance. All three sides pass, but the fourth corner is a question mark. But those responsible for the other three corners can point that they are compliant. Never mind, the fourth corner is not. The whole table collapses. Or in the case of an OT organization, you are breached. One exposed vulnerability is all an attacker needs to wreak havoc on your business, and compliance alone won’t stop them.

With Skybox, you’re compliant. But more importantly, you’re secure.

Don’t sweep your cybersecurity vulnerabilities under the rug

To put all your faith in compliance is akin to sweeping your security vulnerabilities under the rug. It’s putting your head in the sand. Don’t think for a moment that compliance is all you need. That’s a recipe for getting sucker-punched at 3 AM when you discover your plant machinery is held hostage with a significant production schedule due for delivery that same day.

OT organizations must up-level their security and place equal importance on vulnerability management as they do on security policy and compliance management. This requires a platform that can visualize and analyze OT, hybrid and multi-cloud networks, providing full context and understanding of the attack surface. OT organizations can use this intelligence and context to increase the overall strength of their cybersecurity controls, processes, and compliance programs.