The OT Security Academy

As We Digitalize Industry, Safe Doesn't Always Mean Secure

Written by Tommy Evensen | October 25, 2023

We sat down with our Head of Customer Success, Tommy Evensen, for a continued conversation about the future of industrial cybersecurity. OT security has traditionally garnered less attention that IT security but both are important as companies modernize their equipment, creating new vulnerabilities to cyber attacks. There is not only a gap in information but also a skills gap of experts in OT security. How can we quickly address this lack of expertise to quickly meet the demand? Evensen gives us his perspective on how to solve this dilemma.

"Yes, we have a skills gap when it comes to the cybersecurity of heavy assets. But with the right technology, we can fill a lot of those gaps." - Tommy Evensen

 

According to the World Economic Forum, there will be a global skills gap of 3.4 million cybersecurity specialists this year.

All-encompassing connectivity means our physical environments are increasingly paired up with digital twins: they help augment realities, predict maintenance, and reduce emissions. At the same time, it means bringing systems and structures that were not designed to be connected, online. In my experience, very few organizations have the full overview of the interdependencies and the vulnerabilities of their own operational environment. In this case, ignorance is not bliss.
It is dangerous.

It is in bridging this gap I have found my passion.

Personally, I experienced the power of urgency when working in the oil and gas industry, in Norway's energy capital Stavanger, in the mid-2010s. I was working on IT systems for the offshore sector. We were operating under a regime where 'ease of use' was the only thing that mattered. If control systems were easy and intuitive, they were considered safe – because we could minimize the likelihood of malfunction or human error. In the offshore industry, safety always comes first.

But safe does not mean secure.

During my time in oil and gas, I interacted with advanced control systems. Many of them with security loopholes or compromises that had been implemented to ensure ease of use. Identifying these gaps and solving them was my job. But it also got me thinking about everything that could go wrong with these massive digital installations. This is where my fascination for operational technology (OT) and security started.

 

Necessity breeds innovation – and culture change.

When the oil price plummeted in 2016, companies had to cut costs – quickly. The crisis turned out to be a massive opportunity for someone working in IT. Top management realized that digitalization, automation, and connectivity would be essential to maintain quality and safety, while reducing operating costs. It was the perfect pretext to make changes with real impact on both IT and operations, while building in security with this new development.

A personal growth story.

My path to operational technology went through IT. For me, it meant I had to unlearn some things that come naturally to an IT professional: if something happens to a device, you try to isolate it to stop the spread to other connection devices. In an offshore drilling rig, isolation is not possible. Systems are intertwined and interdependent in myriad ways. Without intimate knowledge of the system, it's hard. So many companies rather spend time and resources re-skilling and educating the field experts they have, teaching them IT and networking.


We need to change the conversation about the cyber skills shortage.

Managing a rapidly evolving threat picture across complex operational and IT environments requires skills and experience. But relying on individual resources to maintain the full overview of a critical operation is risky and costly. Firstly, there is a massive shortage of skills in OT cybersecurity. Secondly, the specialized skills required for operational technology are notoriously hard to develop. And thirdly, without deploying a supportive technology that can follow and address new threats, even skilled employees are always going to be playing catch-up the most advanced threat actors.

 

This is what makes me so passionate about Omny's product offering.

We're delivering the technology that helps bridge the gap between OT security skills and rapidly advancing threats. We help clients get the full overview of their own systems. We can simulate a live event happening on a 3D plant or a digital twin. We can see the cause and effect on your processes. We can see the dependencies and educate people on the potential harm of cyber threats. 

“When you deploy the right technology, the skills shortage is not an issue."

 

Perhaps it’s time to change the conversation.

Rather than talking about the skills gap, let’s talk about reskilling our people and deploying adaptive technology. When you put a digital tool purpose-built for OT cybersecurity into the hands of people with deep knowledge of that asset or infrastructure, it’s then that industrial operations can truly become more resilient, more proactive and most importantly, more secure.