Susan Peterson Sturm, VP of Security at Cognite, looks ahead at how the cybersecurity landscape will change in 2022:
In the operational technology (OT) security space, 2021 has brought enough change to make a security professional’s head spin. It’s in this context that I want to share some perspectives on the macro industry trends that are likely to influence OT security teams in 2022.
Expect an accelerated pace of change in OT systems
After spending 20 years in the OT energy space, I used to observe a “set it and forget it” mindset quite often, with energy operators minimizing changes to OT systems, especially in Purdue Model levels 2 and below. While IoT tech has driven a great deal of visible changes in levels 3 and above, I think we will see the pace of change in levels 2 and below increasing, which will enable industry to operate smarter.
The OT space and associated security controls will be much more dynamic due to these three trends:
- New workforce: 43% of energy and utilities companies report an aging workforce as a key challenge. The average age of the workers in the US utility sector is over 50 years, and more than half a million are expected to retire in the next 10 years. These demographics could change not only the teams but catalyze adoption of more distributed expert teams that support multiple sites and drive a greater dependency on service providers.
- Applying COVID workflow lessons: With remote and distributed workforce adoption in the COVID context, team structure and work processes will likely look very different at the physical site.
- Making OT data available and actionable across the enterprise: The drive to observe and analyze OT operations and asset data across the enterprise has never been greater, given adoption of data science and low-code development by industrial and energy companies. Most companies can no longer afford to have multiple versions of truth in data spread across disparate systems.
How could these trends impact OT security programs?
- Broader adoption of cybersecurity mesh architecture: Given the shift in users and user stories, several paradigms in OT security will change as well. I anticipate major changes in how trust is managed. Cybersecurity mesh architecture secures individual devices in lieu of security perimeters. With a more distributed workforce and greater reliance on service providers, adoption of mesh cybersecurity architectures will grow mainstream in critical industry. This paradigm could securely enable more frequent application changes at sites as well. For asset owners leveraging cybersecurity mesh architecture with disparate technology and service providers, explicit definitions around the shared responsibility model are critical.
- Greater investment in up-to-date and accessible OT asset information: It is more critical than ever to provide actionable OT data for stakeholders such as data science and security teams. This push toward making OT data accessible and actionable by folks beyond the factory floor could benefit security and incident response teams that often struggle to access basics, like up-to-date OT asset inventories.
- Citizen developers and data scientists will account for a greater portion of OT security landscape: The other big shift we will see relates to the adoption of low-code and data science applications by our colleagues in operations and maintenance. The result is that a greater part of the security perimeter will be dependent on our colleagues’ ability to embrace Secure Development Lifecycle practices in their own application development. The optimist in me hopes that the growth of citizen developers and data scientists will drive a much greater understanding of OT security practices, engineering, and architecture among our colleagues outside of OT security teams.