Risk assessment

Imagine this scenario: A chemical processing company decides to launch a cybersecurity program for a manufacturing plant, so it brings together an IT expert and someone from operations who is moderately well versed in the plant networks. The two have other responsibilities and complete their task quickly by inserting a smattering of security appliances at strategic points and declare the plant protected.
Meanwhile, a hacker who has been systematically analyzing the plant’s networks over several months, has a better grasp of the architecture and what assets are deployed than anyone in the facility. The hacker gained access because some system integrator, a few years ago, installed a Brand X PLC to solve a chemical injection problem. The technician left a path to access the PLC via the internet for follow-up service, but everyone has forgotten about it. The hacker is aware of a key vulnerability—a default password—with that PLC because its characteristics were published, but the plant never acted on changing it because they had forgotten it is even there. This vulnerability provides the hacker a path into the larger network through an unprotected connection from the PLC to the automation system.
While this scenario is an oversimplification, it illustrates the problems many companies face as they consider how to approach cybersecurity strategy for operations technology (OT) networks. A well-thought-out strategy will find and correct these problems, and for the rest of this article, we will look at how to implement this type of plan.