"Yes, we have a skills gap when it comes to the cybersecurity of heavy assets. But with the right technology, we can fill a lot of those gaps." - Tommy Evensen
All-encompassing connectivity means our physical environments are increasingly paired up with digital twins: they help augment realities, predict maintenance, and reduce emissions. At the same time, it means bringing systems and structures that were not designed to be connected, online. In my experience, very few organizations have the full overview of the interdependencies and the vulnerabilities of their own operational environment. In this case, ignorance is not bliss.
It is dangerous.
Personally, I experienced the power of urgency when working in the oil and gas industry, in Norway's energy capital Stavanger, in the mid-2010s. I was working on IT systems for the offshore sector. We were operating under a regime where 'ease of use' was the only thing that mattered. If control systems were easy and intuitive, they were considered safe – because we could minimize the likelihood of malfunction or human error. In the offshore industry, safety always comes first.
During my time in oil and gas, I interacted with advanced control systems. Many of them with security loopholes or compromises that had been implemented to ensure ease of use. Identifying these gaps and solving them was my job. But it also got me thinking about everything that could go wrong with these massive digital installations. This is where my fascination for operational technology (OT) and security started.
When the oil price plummeted in 2016, companies had to cut costs – quickly. The crisis turned out to be a massive opportunity for someone working in IT. Top management realized that digitalization, automation, and connectivity would be essential to maintain quality and safety, while reducing operating costs. It was the perfect pretext to make changes with real impact on both IT and operations, while building in security with this new development.
My path to operational technology went through IT. For me, it meant I had to unlearn some things that come naturally to an IT professional: if something happens to a device, you try to isolate it to stop the spread to other connection devices. In an offshore drilling rig, isolation is not possible. Systems are intertwined and interdependent in myriad ways. Without intimate knowledge of the system, it's hard. So many companies rather spend time and resources re-skilling and educating the field experts they have, teaching them IT and networking.
Managing a rapidly evolving threat picture across complex operational and IT environments requires skills and experience. But relying on individual resources to maintain the full overview of a critical operation is risky and costly. Firstly, there is a massive shortage of skills in OT cybersecurity. Secondly, the specialized skills required for operational technology are notoriously hard to develop. And thirdly, without deploying a supportive technology that can follow and address new threats, even skilled employees are always going to be playing catch-up the most advanced threat actors.
We're delivering the technology that helps bridge the gap between OT security skills and rapidly advancing threats. We help clients get the full overview of their own systems. We can simulate a live event happening on a 3D plant or a digital twin. We can see the cause and effect on your processes. We can see the dependencies and educate people on the potential harm of cyber threats.
“When you deploy the right technology, the skills shortage is not an issue."
Rather than talking about the skills gap, let’s talk about reskilling our people and deploying adaptive technology. When you put a digital tool purpose-built for OT cybersecurity into the hands of people with deep knowledge of that asset or infrastructure, it’s then that industrial operations can truly become more resilient, more proactive and most importantly, more secure.