Skip to main content
close search
site logo
Dive Brief

Boards, CISOs seek alignment on OT security challenges

Published Jan. 24, 2022
David Jones's headshot
Reporter
Drew Angerer via Getty Images

Dive Brief:

  • Companies need to create alignment, from the board level down, to assess the risk of a cyberattack on operational technology, according to Robert Lee, founder and CEO of industrial cybersecurity firm Dragos, speaking on a Dragos-Rockwell Automation webinar last week
  • OT drives revenue for industrial companies and top executives, board members and CISOs must properly allocate resources to make sure those operations are protected and can continue to function in the wake of an attack, Lee said.
  • CISOs need to decide what are the relevant threats for their particular company and focus on informing senior leadership about those threats, Dawn Cappelli, VP of global security and CISO at Rockwell Automation.

Dive Insight:

Companies have historically focused on the impact of ransomware and supply chain attacks on information technology but have often failed to account for the potential impact on operational technology, according to the panel. 

"A lot of these companies have a ton of intellectual property," Lee said, "and it's not maintained on an email server. It's in your manufacturing lines, it's in your production environment."

The SolarWinds supply chain attack from 2020 and the historic surge in ransomware attacks forced a renewed dialogue about how cyberattacks can essentially halt production at major industrial firms. 

Some of the most critical ransomware attacks in the U.S. in 2021 involved attacks on IT that forced the temporary shutdown of OT, creating real impacts on production capabilities and having tremendous impact on customers. During May 2021 ransomware attack on Colonial Pipeline, the largest U.S. fuel supplier, the company shut down supply lines for about six days. 

Corporate boards should be informed about potential risk scenarios that may impact certain industries, Lee said. For example, electric utilities should be aware of the 2015-2016 power grid attacks in the Ukraine, while oil and gas companies should have knowledge about the 2017 attacks that hit Saudi Arabia. 

Some CISOs make the mistake of not sharing certain information with board members because it's considered too technical, Lee said. But corporate boards are often very capable of understanding important threat information without getting into the minute detail of everything that happens at the security operations level. 

Filed Under: Threats

Editors' picks

Company Announcements

View all | Post a press release
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Editors' picks
Latest in Threats
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell