Resources

What is the Board’s Role in Cyber Risk Management in Operational Technology Environments?

By John Cusimano, Armexa Vice President OT Cybersecurity

Boards of directors play an important role in overseeing the strategic risks faced by their organizations, especially in high-risk environments like energy, transportation, manufacturing, and production.

Understanding and managing cyber risks in these areas, however, can be challenging. Here we’ll cover the main obstacles boards encounter, effective strategies for decision-making, and proactive measures to improve OT cybersecurity.

Primary Obstacles Boards Face in Evaluating OT Risks

One of the biggest challenges boards face in understanding OT cyber risks is that the people with OT domain knowledge are often too far down in the organizational hierarchy to influence board-level decisions.

Typically, the chief information security officer (CISO), who manages enterprise cybersecurity risk, doesn’t have the expertise to manage cyber risks in the OT environment. As a result, OT cybersecurity is often misunderstood, understaffed, and underfunded, despite the potentially greater impact of an OT cyber incident.

To gain a true picture of OT risks, boards should consider appointing a dedicated operations cybersecurity leader who collaborates with the CISO. This role should have executive-level visibility and the necessary support to assess and manage OT security risk.

Just as companies have environmental, health and safety (EH&S) leaders for managing safety risks, or financial leaders for managing financial risks, they need OT security leaders to manage OT risks.

More companies are recognizing this need and are creating dedicated roles for OT cybersecurity leaders.

Strategies for Effective Decision-Making in OT Environments

Effective decision-making starts with recognizing that the consequences of an OT security breach are significantly different from an IT security breach.

In OT, the focus is on managing cyber threats to health, safety, the environment, equipment, and production/operations. The best way to address these challenges is to follow industry standards for OT risk assessment and management, such as ISA/IEC 62443-3-2, which involves partitioning OT systems into security zones and developing credible risk scenarios.

Risk scenarios are then ranked based on their likelihood and impact, using the same scale the company uses for other risks. This ensures consistency and helps the board understand the relative importance of different risks.

Ensuring Strategic Cyber Risk Management Across the Organization

It’s important for boards of directors to recognize that there must be separate programs for IT and OT cybersecurity, each headed by their respective experts. This might initially seem confusing, but it will make sense once the board understands the specific risks to operations and the need for tailored risk management plans.

We recommend there be separate, but aligned, programs for IT and OT cybersecurity and that boards establish an OT Cybersecurity Governance Committee to oversee their company’s OT cybersecurity program. This committee should include key executives from operations, engineering, IT and finance.

Where Should Boards Go from Here?

We’ve highlighted the importance of dedicated support and a strategic approach to managing cyber risks in OT environments. Boards and senior management need to better understand, assess, and address these risks to protect their organizations.

Our team at Armexa understands OT-specific risks and can help align your security processes with business goals to optimize your organization’s resilience.

We offer guidance, collaboration, and hands-on support to ensure you know where your organization stands, what actions are needed, and the solutions to achieve your goals.