What a mature OT security program looks like in practice

In this Help Net Security interview, Cindy Segond von Banchet CC, Cybersecurity Lead at Yokogawa Europe, shares her insights on what defines a sustainable OT security program. She outlines the key differences between short-term fixes and long-term resilience, and discusses how organizations can embed OT security within broader risk frameworks.

From addressing legacy system vulnerabilities to integrating OT into existing SOC operations, she covers topics such as visibility, training, and alignment with global standards like ISA/IEC 62443.

What does a “sustainable” OT security program look like in practice? Can you describe the key pillars that differentiate short-term initiatives from long-term resilience?

Yokogawa’s sustainable Industrial Security Program is based on the ISA/IEC62443 standard, the global standard for OT security and combines robust protection and operational continuity with long-term maintainability.

Our security program consists of six elements and covers short-term initiatives like the execution of risk assessments, gap analysis, and the implementation of security controls such as firewalls, anti-virus software and installing patches.

Cybersecurity starts with visibility. You can’t protect what you do not know you have in your network. Start monitoring your network 24/7 and apply an asset-centric approach with a clear overview of all OT devices (PLCs, SCADA systems, RTUs, HMIs, etc.).

To ensure long-term cyber resilience, it is pivotal for organizations to train all employees (including the board) on cybersecurity awareness. We don’t consider people to be the weakest link in an organization. With decent (OT) cybersecurity awareness training, your staff can function as your first line of defence.

Organizations will also achieve long-term resilience with security by design and system lifecycle management.

Policies and procedures are very often overlooked and are considered to support longer-term resilience.

However, once they are written and documented, they should not be set in stone. As the threat landscape evolves rapidly, you need to review and update your policies and procedures accordingly.

Where should OT security sit within the broader risk management structure of an enterprise?

OT security should reside within an organization’s enterprise-wide risk management structure as an integrated component of its overall cybersecurity strategy and policy.

A reporting line through the C(I)SO or CRO is highly recommended, to ensure alignment with the IT security team and broader risk policies of the organization. Moreover, a unified risk framework like NIST RMF or ISO27001 is helpful for the governance, collaboration and communication with engineering, incident response and production teams is key.

Many legacy OT systems are insecure by design. How should security teams prioritize compensating controls while balancing operational uptime?

First, you cannot prioritize compensating security controls to take if you do not know what the actual high-risk assets are, and what the acceptable level of risk is for your organization. Instead, start with a risk assessment based on the outcomes. Security teams can prioritize compensating controls based on the potential impact on safety, availability and regulatory compliance.

Compensating security controls like patching are deployed following a meticulous procedure during service/maintenance windows or planned plant shutdowns.

A segmented network has firewalls, demilitarized zones (DMZs) and vLANs, to isolate OT networks from the IT domain and access from the outside.

How do you recommend integrating OT security into existing enterprise security operations without overwhelming the SOC?

It is a misconception to believe you can turn an IT SOC into an OT SME team. The most important thing is to provide the security operations team with the right tools, data and partnerships, so they are equipped to respond smartly and effectively to security incidents.

To establish OT-specific context and visibility, you need to develop an OT asset inventory. There are toolkits out there in the market to execute passive scanning on the network to identify OT systems without disrupting operations.

From there, you can set the baseline of normal behavior in the network traffic and identify typical OT traffic and events to avoid false positives. It is pivotal that SOC analysts document and have visibility into industrial protocols like Modbus, BACnet, DNP3, EtherNet/IP.

From a SOC tiering perspective, route low-priority OT alerts to Tier 1 SOC analysts, while more complex OT incidents can be routed to Tier 2/3 or a dedicated team with OT SMEs.

What metrics or KPIs best reflect the maturity and sustainability of an OT security program?

ISA/IEC 62443 defines four security levels (SL1-SL4) that represent a risk-driven, threat-based benchmark, for the strength of cybersecurity protections in an OT environment. The security levels scale from basic to advanced attacker scenarios and ensure that cyber defences are tailored and proportionate to the continuously evolving threat landscape. When partnering and co-innovating with our clients, we first ensure that the basic security hygiene is in place (like AV, WSUS updates, MFA, network segmentation with zones and conduits). From there, we define the roadmap towards the targeted security level our client wants to achieve.

From a managed security service perspective, we set KPI’s in the SLA.

Overall, the maturity and sustainability of an OT security program we consider an OT security journey, in which we travel together to support our respected clients along the way.