BitSight, Schneider Electric partner to quantify OT risk

BitSight and Schneider Electric have partnered to develop a new way to quantify operational technology risk, an area that's increasingly harder to defend.

The collaboration was announced in a blog post Monday that detailed a "first-of-its-kind" capability the vendors have named Operational Technology (OT) Risk Identification and Threat Intelligence. The offering will utilize BitSight's cyber risk ratings and data analysis to identify potential threats across OT attack surfaces.

Many of those surfaces belong to critical infrastructure in both the private and public sectors that pertain to energy, public health and transportation systems, among others. Last month, the U.S. Government Accountability Office made eight recommendations to lead agencies in federal departments and others, including "evaluating sector IoT and OT cybersecurity risks."

Major struggles for OT security include a lack of understanding of how many external connections exist and problems with efficient patching. Concerns about OT security and critical infrastructure have risen in the wake of Russia's invasion of Ukraine last February, which included cyber attacks against Ukraine's energy grid and other areas.

Two goals of the new partnership highlighted in the BitSight blog post were enhancing OT exposure detection capabilities by identifying misconfigured connected devices and providing increased visibility into industrial infrastructure and industrial control system (ICS) devices.

While Schneider Electric is the first company BitSight has established this level of partnership with, the security vendor has worked with hundreds of critical infrastructure companies in the past who utilize OT. Stephen Boyer, co-founder and CTO of BitSight, told TechTarget Editorial that its traditional products don't specifically cater to OT companies. But new engagements and its work with Schneider are expanding its database.

"BitSight is providing actionable intelligence to Schneider about the internet-wide exposure of their products and devices and the operating organizations, which allows Schneider to engage with these organizations and secure those devices before they become compromised by malicious actors," Boyer said in an email to TechTarget Editorial.

Quantifying OT risk has more barriers compared to IT. Boyer described the main difference between the two as IT systems manage data, while OT devices control the physical world. However, the two areas are converging. If successful, that will allow OT to become more efficient, he said.

Problems arise when it comes to safely connecting those technologies to the internet due to OT systems having limited security features and vulnerability patching concerns. Boyer said many devices that are being brought online were not even designed with that function in mind.

"Sometimes they use proprietary protocols that make them harder to secure. More often than not, security patches are not available, or the downtime to apply is those is not acceptable," he said. "By their very nature, the physical impact OT systems might have on the world makes them inherently critical to the organization."

Because of that, Boyer said threats to OT environments can have dire consequences. Awareness, stronger visibility, audits, penetration tests and continuous monitoring are becoming vital as OT and IT systems increasingly intertwine. In addition to improving risk detection, a goal of the new partnership aims to attribute attacks.

The blog post also emphasized that participation is open to all OT vendors willing to share information about their products to add to BitSight's data collection.