In an exclusive interview with CIO TechOutlook, Ambarish Kumar Singh, CISO, Godrej & Boyce Manufacturing Co, shares his opinions on how organizations can integrate OT security with minimal disruption and address the perils of outdated systems compromising security and the consequences that arise. He is a seasoned cybersecurity professional who is passionate about the field and has contributed to building secure products for the country as a military veteran. With over two decades of experience that cuts across all domains of cybersecurity, he led the implementation of several security technologies and processes in his various assignments.

In the context of digital transformation, how can organizations effectively integrate OT security measures without disrupting operational efficiencies?

With regard to digital transformation, every organization is at a different stage; post-pandemic, the adoption speed has grown at an exponential rate. Operational technology (OT) is set up where there is a machine that controls the controller. The controller controls the bigger machine that does the manufacturing. The challenge with regard to OT integration is that the endpoints are bought along with the manufacturing machine, which is running on an older operating system (Windows XP, Windows 7 and Windows 8) for which support is nonexistent.

Now, if digital transformation is to be carried out, if data has to be carried out from these machines, analytics has to be done so predictive maintenance can be performed. This is where the challenge starts. A lot of precautionary measures have to be carried out. IT and OT cannot be carried out in a plug-and-play fashion as they expose a lot of vulnerabilities, and the impact of the OT Bridge is multifold compared to that of the IT Bridge—OT Bridge breach results in disastrous consequences.

Could you elaborate on the role of adaptive security frameworks in addressing the evolving threat landscape for OT environments?

The reason OT security has become mainstream is due to the fact that we have witnessed numerous breaches lately. These breaches end up costing the organization a lot of resources and also results in a cascading effect.

In adaptive security, the threat landscape is analyzed, and you are able to change your response corresponding to the said threat landscape automatically on the runtime, the environment is protected in real-time. This brings us to zero trust, adaptive security is a core element of zero trust. Majority of the organizations struggle to deploy this policy. Adaptive security in OT is very premature, as we are still struggling to deploy a basic control due to various reasons.

How can companies ensure the security of interconnected devices while maintaining seamless operations?

The prerequisites are connectivity, device security, sensor connectivity, mobile app security, web infrastructure, and network infrastructure security. Give confidence to the user that their data is secured, a lot of consideration has to be taken so that unauthorized access or privacy breaches do not occur.

An example of this is video camera recordings being stored in the cloud, only the user should be able to access it, failure to do so will result in legal liabilities. Consideration must be given to the demands of the customer. IoT has to be approached holistically, like how it is being done for IT security.

What are the specific challenges organizations faces when integrating legacy OT systems with modern digital ecosystems and how can these challenges be mitigated effectively?

20 years ago, IT security had integration issues. There was no commitment, as everyone was under the assumption that this was somebody else’s job. Leadership was unaware of these problems.  Now things have changed, everyone understands the importance of data. It is unanimously understood that data breaches impact the business, resulting in legal repercussions and brand damage. With regards to OT, where machines run on obsolete operating systems during the aforementioned time, the problems that occur are three-fold compared to conventional systems. The OT setup here is not going to connect to the internet, and this generates a sense of security. Letting them operate in silos and not letting anything connect from an external source makes for a foolproof security plan in hindsight and can be connected to the internet upon demand.

However, the problem arises when there is an issue with the controller or the software running on the Windows XP machine. The OEM, which is probably in some other part of the world, wants to connect to the OT machine. What is generally done here is a dongle is connected to the machine, allowing the technician to rectify the problem and disconnect when done. This is a risky endeavor. Connecting to an obsolete machine like Windows XP is suicidal. These machines can be breached by hackers in a matter of seconds.

Leadership should be made aware of OT security and its challenges, because the general feeling is if there are no incidents for years and if any risk is communicated it is viewed with skepticism. All these have to be communicated at the right forum with the right audiences. Risks cannot be eliminated, calculated risks must be taken, that’s the risk mitigation strategy every organization must follow.

Considering the rapid evolution of cyber threats, what strategies should companies adopt to future-proof their OT security frameworks as part of their digital transformation roadmap?

Digital transformation is all about adopting new technology to improve the product and service quality offered. To do this, one must modernize the way they are working to enhance customer experience. Derive the insights of the customer thought process, consumer behavior and leverage that data.

While this is being done, predictive maintenance on the OT machines has to be carried out. Implant sensors, pick up sensor data, move to the cloud, perform analytics and predict when things can go wrong. Formulate and implement cybersecurity strategy for OT security. Leadership must address arising concerns systematically.

Understand the businesses well, the infrastructure and the risks that are associated with it, then look at the options from the people, process and technology parts and ensure all three are complementing each other. Only then can success be achieved. If all are working in silos, the probability of success is very low.