Which of your operational technology (OT) systems are critical for the delivery of your products this week? Do you understand the cybersecurity threats that are emerging right now that could impact these systems? How real time is your assessment of your OT cybersecurity business risks?  

Sufficient protection against cyber criminals?

Managing and running a complex business is a tough challenge for any executive. Aside from developing, making, marketing, selling and delivering products and services there is a need to ensure a consistent approach to how the business is lead and run. To further complicate this OT and industrial systems are being actively targeted by bad actors. This will impact your business unless you take action to manage this risk.

GRC – Governance, Risk and Compliance

To support this the triad of governance, risk and compliance (GRC) comes into play. The concept of GRC has been around for a number of years and embraces:

  • Governance, which is the overall approach to how an entity is lead and run and how it utilises management information to best effect;
  • Risk management to understand the risks that may impact the success of the business;
  • Compliance ensuring that the business adheres to whatever legal and regulatory requirements apply to their business either locally or internationally. This can include aspects of safety, major hazard operations and data protection.

Business risk leaders have, for many years, embraced GRC issues and there are a number of software solutions that enable an organisation to capture their GRC requirements and then monitor them as and when their business environment changes.
But what of manufacturing systems, robotics, production lines and plant control systems? How are these being captured and reported on from a GRC point of view? What about safety critical elements of the plant that need additional cybersecurity attention?

OT systems – more accessible for cyber criminals

Operational technology refers to any computer system that controls or detects some form of physical input/output. Such a broad definition encompasses everything from industrial control systems that run manufacturing plants through to computers that control autonomous vehicles, elevators, oil, gas and nuclear plants.

Over the past few years OT systems have moved from proprietary, serial based networks and hardware to those that use TCP/IP based commercial off the shelf hardware and software similar to that used in conventional IT systems. This has enabled bad actors and hackers to take their existing skills and apply them to this domain as the barriers to entry have been lowered. The consequence is an upturn in cybersecurity events and incidents impacting OT systems including production lines and safety critical systems.

Cybersecurity risk assessment: also realisable at short notice

Unfortunately many businesses have not grasped this new threat to their livelihoods and the cybersecurity risk inherent in OT systems is, in many businesses, little understood. In a survey conducted by TUV Rheinland in 2019 74% of respondents had either never conducted a cybersecurity risk review of their OT systems or were unaware if such a risk review had been completed.
The good news is that such risk assessments need not be overly time consuming or complex. A number of general and sector specific frameworks exist to support this work and initial assessments can be achieved in weeks rather than months. In some cases a rapid assessment could even be conducted by OT cybersecurity experts in a few days, depending on the complexity of the operation.


of respondents had never conducted a cybersecurity risk review

Continuous monitoring in real time

A key requirement for effective risk management is knowing what hardware and systems could potentially be at risk. Identifying and understanding OT assets manually can be difficult but now specialised automated asset discovery tools can ease this task for OT networks.
Once risk assessment and asset discovery has taken place the supporting data should ideally be stored in a GRC tool enabling it to be combined with other corporate risk and governance data, thus providing a single view of your organisation’s GRC profile. The next step is to continuously monitor the OT network for threats in the same way that an IT network is monitored. This could ideally report back to a combined IT/OT security operations centre (SOC) or similar monitoring facility.

My tip:

GRC has a significant part to play in many OT deployments. By coupling real time monitoring with a risk based mind set, underpinned by a governance, risk and compliance approach, an operator of OT equipment can embrace cybersecurity challenges in their daily stride.

You should start embracing this sooner rather than later.


Nigel Stanley

Nigel Stanley

Global OT and Cybersecurity

Nigel Stanley is responsible for Global OT and Cybersecurity at TÜV Rheinland and a recognized expert on complex cyber security projects. With his know-how and practical experience, he helps many small and large companies to protect themselves against the increasing cyber risks. He has also written three books on database and development technologies and is a regular speaker at international events and conferences.

More Posts

electric mobility

Electric mobility: charging infrastructure getting more extensive

The new decade is all about climate protection – and one of the major challenges we face is climate-friendly (electric) mobility. The new EU emissions target, which comes into force in 2021.


Cool title – no applicants? Sorting the good ads from the bad

Skills shortages, the talent war and demographic change – all excellent choices for a round of buzzword bingo as played by HR specialists. The job market’s not getting any easier for employers.

Digital trends in 2020: ideas for making businesses more secure

How secure are the smart systems in our homes? How can we ensure that tomorrow’s digital solutions in the logistics, automotive and healthcare industries are secure from cyber attacks?



Submit a Comment

Your email address will not be published. Required fields are marked *