A Blueprint for Building

Sustainable Operational Technology

Cyber Security Programmes

I N CO L L A B O R AT I O N W I T H F RO S T & S U L L I VA N
applied-risk.com
The contents of these pages are copyright © Frost & Sullivan. All rights reserved. frost.com
A Blueprint for Building Sustainable Operational Technology Cyber Security Programmes 2

CONTENTS
3 Executive Summary
19 Chapter 4: Business-as-Usual
and Sustainability

5 Chapter 1: Establishing an OT
Cyber Security Programme
23 Conclusion: The Importance of
OT Security to Organisational
Security Resilience

12 Chapter 2: Programme Design

17 Chapter 3: Shifting from OT

Programme Planning and Design
to Control Deployment

All rights reserved © 2022 Frost & Sullivan | www.frost.com

A Blueprint for Building Sustainable Operational Technology Cyber Security Programmes 3

Executive Summary
Many organisations that rely on Operational Technology (OT) need to elevate their
cyber security to a higher maturity level. A noticeable increase in threats that target
OT assets places a wide variety of companies, including those operating critical
infrastructure, at risk of process upset, production shutdowns, safety incidents,
or other service disruptions. These disruptions can negatively impact mission-
critical supply chain operations and the public. Ongoing geopolitical tensions, the
rise of criminal ransomware organisations, and the supply chain vulnerabilities that
critical infrastructure organisations face all increase the overall threat landscape.
New regulatory compliance standards are appearing, and ongoing trends towards
digitalisation and Industry 4.0 are driving integration between information technology
(IT) and OT domains, increasing the overall OT attack surface. That’s why many
companies with industrial operations are initiating OT security programmes.

Frost & Sullivan research has found that, among organisations operating critical
infrastructure, 37% of decision-makers voiced concerns over a lack of expertise in
accomplishing a sustainable and well-maintained OT security programme.

What makes such an OT cyber security programme successful? A typical IT-centric

strategy will not work in OT environments because OT cyber security practices vary
from traditional IT strategies. Consequently, organisations must address OT-specific
challenges when developing these programmes and use governance models and
frameworks that include engineering and business processes.

In an effort to keep risks as low as reasonably practicable (ALARP), stakeholders

should seek ways to implement the necessary OT security measures to preserve critical
business operations and to shield the organisation from potential service disruptions. An
increased level of OT security maturity is crucial for the long-term success of their OT
security programme and to sustain business-as-usual efforts.

All rights reserved © 2022 Frost & Sullivan | www.frost.com

A Blueprint for Building Sustainable Operational Technology Cyber Security Programmes 4

Despite understanding the importance of an

OT cyber security programme, 40% of OT decision-makers
have concerns about the potential security risks of IT and OT
system integration, even when security protocols vary.
– Frost & Sullivan Security Research Team

EXHIBIT 1: Sustainable OT Security Programme Strategy

The following equation describes a successful OT security programme:

Commitment + Framework + Discipline

Commitment: Framework: Discipline:

Stakeholders across A solid OT security OT security activities
the organisation, process must be must be embedded
such as engineering created that focuses within the business-
teams, operators, on identifying as-usual activities
plant managers, and business risks from of the organisation.
management, must immature OT security The efficacy of the
be dedicated to policies, meeting programme must be
developing, regulatory requirements, maintained through
implementing, and achieving OT security continuous monitoring,
maintaining the goals, and implementing policy management,
necessary OT measures for long-term regular penetration
security controls programme maintenance testing, and threat
and processes. and threat mitigation. modelling.

This white paper has been produced by Frost & Sullivan in collaboration with
industrial cyber security experts at Applied Risk, a DNV company. It provides
a blueprint for the steps companies should take when planning, designing and
implementing an operational technology (OT) cyber security programme.

All rights reserved © 2022 Frost & Sullivan | www.frost.com

A Blueprint for Building Sustainable Operational Technology Cyber Security Programmes 5

Chapter 1: Establishing an OT Cyber Security

Programme: Goals, People, and Risks
The early phases of an OT security programme involve creating an aspirational
plan, which generates a solid foundation for the organisation to understand its
operational landscape, the risks it faces, and how it can best respond to and prevent
significant damage or disruption from an attack.

Security practitioners, companies or organisations must understand how OT-related

risks differ from IT-related risks and identify the measures the organisation should take to
mitigate or reduce the harm of a successful attack. This must be done while meeting the
requirements of an operational business environment. Therefore, organisations must employ
a knowledgeable internal workforce with an engineering, IT and cyber security skillset
and outside experts that understand the overall OT system threat landscape and potential
countermeasures. Together, they can determine the organisation’s risk profile, ensure
comprehensive risk identification and assessment, and provide fit-for-purpose solutions.

Goal Setting for the OT Security Programme

Once an organisation recognises its need for a holistic OT cyber security programme, it can
begin identifying critical systems, assets, stakeholders, regulatory standards, technology
solutions, and governance models that can guide it towards an ideal programme
model. Core goals the OT security programme aims to create and implement include:

Creating extensive Establishing

risk assessments mitigation plans
and execution and backup
plans in line with strategies for
the organisation’s recovering from
threat landscape successful attacks

Defining roles and

responsibilities for OT
security stakeholders
(according to a governance-
powered operating model)

All rights reserved © 2022 Frost & Sullivan | www.frost.com

A Blueprint for Building Sustainable Operational Technology Cyber Security Programmes 6

The goal of this phase is to find out what constitutes OT security risks, threats, and
inherent vulnerabilities. Organisations must also understand what ideal OT security
programme goals are and how they can tangibly measure success within the programme
framework. One of the first questions to answer is what is driving the organisational
need to develop an OT security programme. Other important questions include:

• Has the organisation or a close competitor experienced a successful attack or breach?

• How can the organisation prevent potential operation or service disruptions?

• What are the safety concerns for the organisation and/or the public?

• What regulatory standards must the organisation adhere to for safety and overall security?

PROGRAMME GOAL SETTING TO-DOS

… Educate the organisation … Identify compliance

on the difference between regulations, industry
IT and OT cyber security regulations, and other external
threats, programme pressures on the organisation
operations, and goals
… Identify and assess OT systems,
… Assess why the organisation protections in place, specific
needs to implement an OT vulnerabilities, and what
cyber security programme mitigation strategies to initiate

All rights reserved © 2022 Frost & Sullivan | www.frost.com

A Blueprint for Building Sustainable Operational Technology Cyber Security Programmes 7

Stakeholder Identification: The People Behind the OT Security Programme

While understanding threats is a key component of understanding overall risk,
it is merely the first piece of a three-pronged OT security programme outline.
Organisations next need to identify the principal stakeholders that will make up
their core security committee and undertake the following tasks:

Planning and designing Obtaining approval for

controls, policies, and the resources necessary
processes to mitigate to implement new
threat risks controls and processes

Assigning personnel Managing the programme

for all OT programme implementation and
lifecycle controls and integration phases before
stages the official handover

Securing committed
support and financial
backing from senior
management

After identifying the members of the security committee, the organisation will be
able to set specific programme parameters as follows:

How and when How often to evaluate

security systems the programme’s
will be updated adherence to the
success factors

The security systems Who approves, apportions,

the OT security and maintains the
operations will use programme’s long-term
expenses

The programme’s
critical success factors
and key performance
indicators (KPIs)

During the programme’s planning phases, the budgetary process may involve
asking stakeholders to subsidise specific portions of the programme rather than the
total system cost. It also involves identifying the varied roles and responsibilities of
each stakeholder.

All rights reserved © 2022 Frost & Sullivan | www.frost.com

A Blueprint for Building Sustainable Operational Technology Cyber Security Programmes 8

In addition to determining who will bear the cost and setting the organisational
KPIs for the OT security programme to achieve, the security committee will need to
assign specific duties to its members. This involves delegating specific champions
for the OT security programme during the design, implementation, and maintenance
phases who can ensure that the programme still fits with the organisation’s goals.

A major pitfall that organisations worry about in their OT security

committees is that they could deputise too many stakeholders
and make the decision-making structure so complex that it
paralyses the planning process. Frost & Sullivan noted this
concern from 26% of OT programme stakeholders.

Finally, the organisation must identify which committee members can liaise
between engineering teams, programme managers, technical leads, and
executive leadership to maintain ongoing communication about the OT security
programme progress. The handover phase, from initial project launch to
business-as-usual within the organisation, is a critical transition phase that
should conclude the following:

The creation of
The identification
and adherence
of day-to-day
to ongoing risk
operations
assessment
managers
schedules

The tracking of OT
security programme
progress against
organisational KPIs

All rights reserved © 2022 Frost & Sullivan | www.frost.com

A Blueprint for Building Sustainable Operational Technology Cyber Security Programmes 9

Support within upper management will be important to ensure that the OT security
programme remains relevant for all stakeholders and that the handover is effective.
Without an organised handover, the OT security programme could become a costly,
one-off security planning session that negates all potential progress and planned
risk reduction activities during the next few years.

THE PEOPLE TO-DOS

… Obtain board of director … Assess the approval

endorsement, commitment, processes for new purchases
and priority and stakeholders that will
bear the costs
… Create a security committee
with associated stakeholders … Set the KPIs and success
metrics for the OT security
… Set the OT security programme’s initial phases and
programme parameters the long-term metrics

Assessing the Risks and Vulnerabilities to Critical Assets

Organisations in a highly regulated industry that must adhere to strict compliance
or regulatory requirements will have more internal pressure to create an all-
encompassing programme. Conversely, if an organisation does not have significant
regulatory or compliance pressures, executive management can drive efforts to
strengthen its operations and protect the organisation from threats.

Creating a holistic OT ecosystem risk assessment requires that the organisation

understands the extent of its vulnerabilities. This includes knowing:

• What assets, systems, and operations require additional protection

• Where its vulnerabilities are and how outsiders could exploit them

• How best to mitigate any damage if these vulnerabilities are left open

Organisations must look beyond their technological ecosystem to the operational

and business risks of a major breach. This includes knowing how a successful
attack could impact business operations and activities and affect its end customers,

All rights reserved © 2022 Frost & Sullivan | www.frost.com

A Blueprint for Building Sustainable Operational Technology Cyber Security Programmes 10

the public, and any partners that rely on the business for specific services. Once
the organisation can view its risks from these top-level perspectives, these
assessments become a crucial linchpin for future business planning, operational
improvement strategies, and the OT security programme’s long-term success.

The security committee members will need to create a company OT security framework
that covers the specific security controls, compliance policies, and programme frameworks
that external regulatory bodies stipulate. With external regulatory frameworks in mind
and consideration of international standards like NIST, ISO/IEC 62443, and ISO2700X,
the committee can craft specific policies to mandate practices, roles, and responsibilities
in OT security solution operations and supplement this framework with procedures and
controls to achieve specific organisational goals. This security framework will set specific
organisational procedures regarding the design, installation, integration, and maintenance
of the OT Security programme throughout system’s lifecycle.

For many organisations, industry-specific laws and regulations are additional drivers
behind establishing and implementing an OT programme. To avoid costly fines
for non-compliance or even the loss of their permit to operate, organisations must
examine the laws and regulations that govern their respective industries. They can
then determine what their OT security apparatus will require from a regulatory
perspective and combine this information with what the organisation needs to do
to reduce its risk profile. Once the organisation knows the main security solutions
or capabilities that it must utilise, reminding OT programme stakeholders why the
implementation of those solutions is necessary is important. Some examples include:

Preventing Safeguarding life,

operational property and the
downtime environment

Protecting personal Adhering

identity or to financial
organisational data statutes

Knowing why these regulations exist can help stakeholders identify operational
risks they may not have considered.

All rights reserved © 2022 Frost & Sullivan | www.frost.com

A Blueprint for Building Sustainable Operational Technology Cyber Security Programmes 11

After identifying and assessing regulatory and compliance statutes, organisations can
design the proper policies, procedures, and control frameworks to ensure long-term
compliance. While much of this step involves policy creation and implementation, it
also pushes the organisation to implement an assurance model that identifies and
appoints a specific role (individual or team) to monitor and assure leadership and
regulatory authorities that the organisation is meeting, evaluating, and reporting
company standards. A multi-layered defence strategy is the most fitting because the
first line of defence would be in the relevant business unit itself, the second in a central
OT cyber security centre of excellence, and the third could be an internal audit function
(or even an external party). Once the organisation has identified and appointed
these critical stakeholders and they understand which essential tasks to conduct, the
organisation can move into the next stage of OT security programme planning.

RISK AND VULNERABILIT Y ASSESSMENT TO-DOS

… Determine specific controls, … Develop and implement

policies, and frameworks an assurance model that
mandated by outside identifies and delegates
regulatory bodies policy reporting tasks to
specific stakeholders
… Set organisation-specific
policies that can augment
existing frameworks to meet
organisational goals

All rights reserved © 2022 Frost & Sullivan | www.frost.com

A Blueprint for Building Sustainable Operational Technology Cyber Security Programmes 12

Chapter 2: Programme Design:

Controls and Solutions
An OT security programme’s success does not result from technology solutions
alone. Much of the first step in programme creation focuses on the organisation
itself, its threats, the people best suited to combat these ongoing risks, and the
precise policies the organisation must follow to create a more resilient operational
posture. After the organisation has defined its policies and tasked stakeholders
with programme management, it can assess its security posture and determine
the next logical steps.
Designing the Security Operations: Control and Workstream Creation
Once the OT security organisation has conducted its initial risk assessment,
the programme stakeholders must identify and determine the specific security
components, controls, and programme priorities. During this stage, organisations
evaluate how the existing controls (across people, process, and technology
components) account for risks so they can determine an effective and efficient set
of additional measures that will reduce risk to the ALARP standard. The evaluation
of existing IT security controls and solutions will aim to re-use them within the
OT security system to ensure upfront cost savings and immediate risk reduction.
However, while many OT security controls may appear to echo existing practices
or systems within the organisation’s IT security team, OT security programme
stakeholders must articulate whether these same practices, technologies or
solutions are applicable in an OT environment.

All rights reserved © 2022 Frost & Sullivan | www.frost.com

A Blueprint for Building Sustainable Operational Technology Cyber Security Programmes 13

Visibility is a fundamental and critical security control for an OT security

programme. Establishing comprehensive OT visibility requires creating up-to-
date asset inventory and network drawings. Along with a suitable reference
architecture, this will allow for OT environment segmentation into zones
and conduits according to industry best practices, which will reduce overall
vulnerability exposure. This exercise will require both tools and human expertise.

In addition, security teams need solutions that log and monitor all OT network activities;
this serves a regulatory reporting function, augments the security team’s visibility in the
environment, protects assets, and ensures adherence to security policies and regulations.

The next set of controls fortifies the overall OT system defences. First, teams should
ensure that a cohesive identity and access management system, both around the
physical access to the organisation’s facilities and for digital access to OT systems, is in
place and updated to reflect roles, responsibilities, and employee or contractor rosters.
This limits potential unauthorised access via lost or stolen credentials and plugs potential
vulnerabilities left open because of human error or via a social-engineering attack.

Other system-hardening hygiene, such as replacing legacy hardware or maintaining

network and component updates, can limit breach risk by plugging existing holes. Planning
and executing changes should follow a strict management of change (MoC) process, which
is often already used in sensitive OT environments. This allows security teams to plan
updates throughout the operational planning and meet planned maintenance schedules.

At the same time, OT security teams must be vigilant in assessing new

vulnerabilities that may affect system components. To ensure that no new
vulnerabilities become major attack vectors, security teams must prioritise:

Effective and
System
timely patch
hardening
management

Change
management
controls

All rights reserved © 2022 Frost & Sullivan | www.frost.com

A Blueprint for Building Sustainable Operational Technology Cyber Security Programmes 14

However OT security teams must be risk adverse and run any change through a risk
assessment and MoC process to ensure that there will be no negative impact on the
operational process.

As OT security teams can never prevent every breach or security incident from
occurring, creating clear incident–response policies and workstreams is vital. The
development of comprehensive workstreams within incident response plans and
playbooks, in addition to business continuity plans, will be the important planning
stages. However, training the organisation how to enact these plans is crucial.
This will ensure that all relevant stakeholders (including third parties) know the
exact policies, actions, and duties to perform in the event of a system breach to
limit potential damage. In some cases, a technology solution can automate these
incident–response capabilities.

System or component backup and restore is the last essential piece of these
incident–response and business continuity plans. With these controls in place,
organisations can significantly limit potential downtime from an incident and
maintain critical activities, even in the face of a successful breach or attack.
However, it is essential to test backup capabilities to ensure they can successfully
recover the system. Having identified and prioritised these main security controls
according to their own risk assessments, organisations can move into the decision-
making phase for implementation strategies and consider criteria for future controls.

CONTROLS AND WORKSTREAM TO-DOS

… Assess existing IT and OT … Establish a strict MoC process

security controls and systems
for viability with OT security … Create incident response
programme goals policies, workstreams, and
playbooks, and initiate regular
… Harden OT system defences testing of these plans
through holistic identity and
access controls and upgrade … Implement system backups
legacy hardware and network and restoration capabilities
components

All rights reserved © 2022 Frost & Sullivan | www.frost.com

A Blueprint for Building Sustainable Operational Technology Cyber Security Programmes 15

Considerations for the Ideal OT Security Solution Set

With the ideal programme planning, responsibility delegation, and risk mitigation
strategy in place, OT security teams can start planning and executing remediation
activities. Once programme stakeholders understand their own situation, they can
consult risk assessment plans and system architecture maps to determine where major
risks remain and triage them according to likelihood and impact. With this top risk
prioritisation list in hand, OT programme stakeholders can determine the precise risk-
mitigating security measures and establish an implementation timeline. This exercise
can help the security committee answer questions from other teams or executives in
the organisation concerning implementing certain controls before others.

Choosing the right measures

and solutions is not easy.

For example, purchasing OT security solutions should never be spontaneous, which

means that the organisation should create a workstream that stipulates precisely how
OT stakeholders can evaluate solution add-ons for the programme based on a proper
risk assessment. In that assessment, stakeholders should articulate the following:

The exact risks to the The impact of new

organisation if it takes measures on existing
no mitigating action operational plans

The changes or revisions The impact on overall

to the governance model headcount or
or network architecture operational activities

This approach documents proposed programme changes or additions while

assessing their potential impact on future operations.

All rights reserved © 2022 Frost & Sullivan | www.frost.com

A Blueprint for Building Sustainable Operational Technology Cyber Security Programmes 16

This assessment should consider future solutions. For example, stakeholders need
to consider both how a new OT solution impacts overall security resilience and
how evergreen solutions will stay throughout the system’s lifecycle. This includes
ensuring new security controls do not hinder future strategies and considering
whether these practices or systems will mitigate future business risks, even as the
organisation’s goals and strategies evolve. With respect to the business risk profile,
stakeholders should consider the following questions:

• How does this technology component maturity compare with the organisation’s
risk appetite?

• Is the organisation an early adopter of a minimum viable product?

• Does the organisation prefer to invest in established technologies?

Once the risk and consequence assessments are complete, all stakeholders must
decide whether to initiate, delay, or reject the final purchase. This discussion must
consider which team within the OT security programme controls the final purchase
decision, who leads installation and implementation, how the management of
governance will occur, and how the mitigation of risk will succeed.

Stakeholders must understand the changes a new piece of technology or process

may require or how workforce development could affect long-term security
operations and determine who is in the best position to conduct maintenance and
operations throughout the lifespan of the security measures. Conducting these
steps in the early stages of the OT security programme’s lifecycle will ensure
a smooth handover and long-term success, which will result in the programme
framework’s sustainable operation and maintenance.

DETERMINING THE IDEAL OT SOLUTION SET TO-DOS

… Identity specific security … Establish a risk assessment

measures to mitigate process for determining new
organisational risk security system add-ons

… Establish an implementation … Educate stakeholders about

timeline for these identified the organisation’s risk appetite
measures and future resilience goals

All rights reserved © 2022 Frost & Sullivan | www.frost.com

A Blueprint for Building Sustainable Operational Technology Cyber Security Programmes 17

Chapter 3: Shifting from OT Programme

Planning and Design to Control Deployment
After the design phases, the organisation moves into the implementation phase
for the defined controls. This will require purchasing, deploying, and implementing
the identified services and systems. This stage begins with the creation of a final
timetable planning effort.

1 The OT programme management should carefully plan for the entire

remediation period and have their main specialists evaluate architecture
designs, planned controls and component purchases, and align these
with other functional upgrades and planned downtime.

2 The management team should break the master schedule down into
phases, with related timetables for purchase and integration.

3 The management team should share these planned timetables with

engineering and plant operations teams to limit the impact on existing
systems, ongoing operations, and feasibility checks.

4 With engineering-level approval, the OT programme managers should

then share plans with executive teams for final purchasing approval.

Managing stakeholder expectations is imperative at this

programme stage, but stakeholders must understand that the
OT security programme is a multi-year, phased journey.

The master timetable will reflect this and include the budgetary and investment
schedule necessary to complete the plans.

There will never be a one-size-fits-all approach to creating implementation timetables.

Every organisation faces unique challenges, has its own as-is situation with specific
operational processes, requirements and restrictions. Achieving the desired situation
will require a tailor-made approach. It will, for example, depend strongly on whether

All rights reserved © 2022 Frost & Sullivan | www.frost.com

A Blueprint for Building Sustainable Operational Technology Cyber Security Programmes 18

the organisation is migrating to newer greenfield system installations or adopting a

brownfield system requiring significant integration with existing systems. Benchmarking
against partners or competitors can help timetable development but may be less
effective than learning from the organisation’s own leadership, experience, and guidance.

During the implementation of the selected controls, it is important to keep the risk
profile updated based on the changing threat landscape and the effectiveness
of the control implementation. Periodic risk assessments will reflect the updated
control implementation state and provide the opportunity to measure risk mitigation
because control implementation will lower the probability of an incident happening
or its impact. Having the right tools and processes in place with a trained workforce
will help the organisation to raise its security maturity from reactive to proactive and
move towards optimising security maturity in the long term.

CONTROL DEPLOYMENT TO-DOS

… Develop full OT security … Maintain an up-to-date risk

programme implementation profile for the organisation
plans and a final timetable based on new threats and the
effects of new controls
… Create migration phase
timetables for purchase
and integration

All rights reserved © 2022 Frost & Sullivan | www.frost.com

A Blueprint for Building Sustainable Operational Technology Cyber Security Programmes 19

Chapter 4: Business-as-Usual and Sustainability

Traditionally, the period after a long-term phased OT security programme concludes
the security planning cycle. However, its success depends on more than completing
the final implementation because discipline is necessary to ensure a lasting impact.
Achieving OT security programme discipline amounts to the following practices:

Making ongoing
Communicating
improvements to
security policies
process safeguards
and content
to ensure the
while enforcing
expected outcome of
these practices
security operations

Continually testing OT
Creating a
systems via penetration
fit-for-purpose
testing or red team
assurance cycle
Conducting continuous exercises to stay
throughout the
monitoring of security aligned with an evolving
organisation
controls, audits, and threat landscape
incident drills

Vendors, suppliers, and system integrators must be considered because they do

most of the implementation and maintenance activities. The organisation must tell
these third parties what it needs and expects from them and have a good third-
party assurance process in place to ensure the organisation’s security posture
remains continuous.

This will help organisations avoid one of the biggest pitfalls

for OT security programme sustainability: keeping long-term
operations and maintenance from regressing to more insecure
practices and embracing future-oriented programme practices.

All rights reserved © 2022 Frost & Sullivan | www.frost.com

A Blueprint for Building Sustainable Operational Technology Cyber Security Programmes 20

Operational resilience spans the full technology stack, including IT, OT, the cloud,
telecommunications, and other connected systems in the organisation. Embedding these
cyber security controls in long-term operation and maintenance practices and having
a workforce that embraces this mandate will ensure that these OT security activities
are sustained smoothly without threatening the long-term viability of the organisation’s
business activities. These long-term controls include the following solutions:

Network and Segmentation

security monitoring and hardening

Vulnerability Incident Response

assessments and training

OT security leaders, in partnership with plant–level engineering teams and staff,

should be mindful of the long-term system architecture and design and know
when to expand it as needed. They must have the power to add or eliminate
various controls or components as they reach end-of-life service, require updates
or new components, or introduce entirely new technology components to the
operational systems. No matter the means, improving the security posture requires
collaboration across security stakeholders to conduct:

New risk Governance

assessment policy changes

New threat rankings Stakeholder responsibility

and risk prioritisation and buy-in assessment

Cyber security resilience requires consistent threat and vulnerability assessments

for the OT security programme’s progress towards its stated success metrics
as defined in the planning and governance phases. As such, the OT security
programme activities may have an end date, but the focus on OT security will need
to remain. OT security stakeholders must sustain these activities by maintaining a
strong testing discipline and improving implemented security controls. A working
cyber security management system helps with that.

All rights reserved © 2022 Frost & Sullivan | www.frost.com

A Blueprint for Building Sustainable Operational Technology Cyber Security Programmes 21

FIGURE 2: OT Security Programme Discipline Framework

Security
policy

Penetration Communication
testing and and policy
red-team
enforcement
exercises

Discipline

Continuous
performance Continuous
assessment and monitoring
improvement

Security audits
and drills

OT security programme initiation must contain a robust assurance process

within its design so that the cyber security management system sustainable
and part of the long-term operations and maintenance goals. This means
monitoring and assessing the implementation and uptake of maintenance
activities to ensure the organisation achieves resilience against major cyber
threats. This monitoring can commence during the OT security programme
initiation and continue afterwards to ensure compliance with laws, regulations,
and industry standards. The collaboration and partnerships that the programme
initiation phase builds will ensure that organisations can react quickly to new
regulatory or compliance standards or changes in the threat landscape, even
if they require changes to the OT architecture, connected systems, policies, or
team responsibilities.

All rights reserved © 2022 Frost & Sullivan | www.frost.com

A Blueprint for Building Sustainable Operational Technology Cyber Security Programmes 22

Having the right governance structures in place ensures that external and internal
information is available to the right stakeholders in the organisation so that they
can process, discuss, and act on the information by adapting the control framework
or updating guidance and work instructions. This will improve the situational
awareness and knowledge of internal and external parties involved in keeping the
organisation safe, secure, and resilient.

BUSINESS-AS-USUAL AND OT PROGRAMME SUSTAINABILIT Y TO-DOS

… Build a culture of OT security … Educate third-party vendors and

resilience through discipline organisational departments about
security discipline to ensure the
… Embed cyber security controls resilience culture expands to partners
and resilience discipline in
long-term operations and … Establish proper governance
maintenance teams beyond structures and cyber security
the initial OT security management systems to ensure long-
programme implementation term adherence to security goals

All rights reserved © 2022 Frost & Sullivan | www.frost.com

A Blueprint for Building Sustainable Operational Technology Cyber Security Programmes 23

Conclusion: The Importance of OT Security to

Organisational Security Resilience
The threat landscape is evolving, and OT security leaders recognise just how
vulnerable their organisations are to cyberattacks. Organisations realise the
importance of maintaining an ongoing OT security programme for long-term
operational and business success. In most organisations, a gap still exists in
understanding how OT security programmes, controls, and solutions differ
from existing IT security solutions. The increase in cyber-attacks targeting OT
environments in several companies worldwide and in regulatory requirements may
have triggered a willingness in organisations to plan, create, and employ viable OT
security programmes to achieve a more robust OT security maturity level.

Successful OT security programmes require commitment from the relevant

stakeholders in the organisation, including the business owners. Creating an OT
security framework that aligns with operational and regulatory requirements along
with discipline to maintain a long-term focus on those goals are equally important.
Any subsequent implementation activities should not disrupt ongoing operations; they
should retain them in a way that is cognisant of risk but agile enough to pivot.

Futureproofing and future planning are also fundamental to long-term OT security

programme success. An organisation that embeds security governance, policies,
processes, and controls within broader workflows will foster a culture of resilience
and risk reduction. Resilience helps an organisation be proactive with its security,
adaptable in the face of regulatory changes, and agile in its incident response.
Building an organisational culture of risk reduction, security resilience, and proactive
risk prevention is the final and perhaps most significant contributing factor to the
success of an organisation’s OT security programme.

All rights reserved © 2022 Frost & Sullivan | www.frost.com

ABOUT APPLIED RISK ​
Applied Risk, a DNV company, is a trusted partner for industrial cyber security driven to
safeguard the critical infrastructure our society depends on. Combining cyber security
knowledge and experience in operational technology, Applied Risk provides tailored
solutions that assists asset owners, system integrators and suppliers to develop,
deploy and maintain cyber-resilient operations. Based in The Netherlands, Applied Risk
operates on a global scale, helping protect industries such as oil and gas, power, water
management, pharmaceuticals, healthcare, manufacturing, maritime and transport.

DNV is an independent assurance and risk management provider, operating in more than
100 countries, with the purpose of safeguarding life, property, and the environment.
As a trusted voice for many of the world’s most successful organisations, we help seize
opportunities and tackle the risks arising from global transformations. We use our broad
experience and deep expertise to advance safety and sustainable performance, set
industry standards, and inspire and invent solutions.

ABOUT FROST AND SULLIVAN

For over six decades, Frost & Sullivan has provided actionable insights to corporations,
governments and investors, resulting in a stream of innovative growth opportunities that
allow them to maximize their economic potential, navigate emerging Mega Trends and
shape a future based on sustainable growth.