Navigating Best Practices in Cyber-Physical Security for OT Site Assessments

In today’s digitized world, the intersection between operational technology (OT) and cybersecurity has become a focal point for building owners and IT professionals alike. OT systems oversee a variety of functions in modern buildings, ranging from HVAC to lighting, and ensuring their security is paramount. At last year’s August Lunch & Learn webinar, industry leaders Tim Vogel, Ari Reubin, Fred Gordy, Don Goldstein, and Erik Heinrich shared invaluable insights into best practices for OT site assessments and remediation. Here’s a recap:

Understanding the Divide: IT vs. OT

Tim Vogel, VP of Connected Solutions at KMC Controls, kicked off the webinar by addressing the importance of understanding what assets are in your building and what actions are necessary for cybersecurity. He emphasized, “There are only two opportunities to deal with cybersecurity: either before or after.” Proactive measures place customer interests first and can prevent costly incidents.

Erik Heinrich from RUCKUS Networks elaborated on the distinction between IT (Information Technology) and OT (Operational Technology), highlighting that OT has often been hidden in the shadows. “Operational technology has sort of been a dark magic…it was an outgrowth of these new building systems coming online and being connected to existing networks,” he observed, noting the necessity for a shift in budget allocation to account for these changes.

Budgeting for Cybersecurity in OT

The conversation turned to the essential role of budgeting in ensuring cybersecurity. Fred Gordy from Michael Baker International observed, “I think it’s a lag…[but] the awareness has definitely grown,” however, many enterprises have yet to allocate sufficient funds towards OT security measures.

Don Goldstein of 5Q pointed out that the variability in budgeting is dependent on who owns the properties. “You have to look at what’s in the building and how old those systems are…if they’re acquiring a portfolio of properties, that’s the time to go in and assess what the cost is to remediate,” he advised, underscoring the strategic timing of cybersecurity investments.

The Complexity of Converging Technologies

As OT systems become increasingly sophisticated, requiring more IT resources, companies face challenges in managing these converging technologies. Erik explained, “We have access points that we call “IoT ready”… these are aggregating different types of protocols onto your same platform,” which can complicate network security.

Tim noted the emergence of technologies as both an opportunity and challenge, mentioning, “Technology is messy… it can be a lot to bring it all together.” This reinforces the need for meticulous planning and expert guidance in integrating these systems effectively and securely.

Planning for the Unexpected

The webinar emphasized the importance of having a solid response plan. Fred highlighted that “response paralysis takes over… roles and responsibilities need to be clearly defined.” Real-world examples, like the one involving Equinix Data Centers, illustrate the dire financial repercussions of poor response planning.

According to Don, proper preparation involves not just creating plans but practicing them. “Even if you have an incident response plan, are you practicing it?” he asked, reiterating the value of routine drills and staying ahead of potential threats.

Leveraging Federal Best Practices

While commercial applications can benefit from federal standards, the panel acknowledged the learning curves involved. Fred highlighted using frameworks like NIST and ISA standards, saying, “The asset owner is ultimately responsible… and having been an integrator, nobody came in and checked behind us, with the exception of test and balancing.” He advocated for instilling robust cybersecurity measures to align commercial practices with federal requirements.

Key Takeaways

The webinar shed light on the dynamic and multifaceted nature of cybersecurity in OT environments. From budgeting considerations to converging network technologies and response planning, each aspect requires both strategic insight and practical applications. The consensus is clear: a proactive approach in aligning cybersecurity practices with both IT and OT demands, backed by expert collaboration, is integral to safeguarding modern infrastructures.

As the session concluded, Tim reaffirmed the collaborative spirit of the event, “Thank you everyone for joining us on this best practices webinar…reach out anytime if you have questions or want to dig deeper.”

For more details on implementing these strategies, consider exploring resources and connecting with industry experts to stay ahead in

See the full episode here: