Where to Place the Crown Jewel
When it comes to cyber security, knowing where your crown jewels lie—and ensuring they’re adequately protected—is paramount. But IT and OT have vastly different landscapes for identifying and securing these critical assets.
In IT, the crown jewel is typically your data—”that server in that room.” Of course, it’s rarely just one server but a network of systems, often backed by failover strategies, robust backups, and even dedicated security guards keeping watch.
In OT, identifying the crown jewel is often more complex. Is it the HMI, the server, the SCADA, the PLC/DDC, the plant equipment? And then there’s the question of where is it located. Many of these critical systems are scattered across hundreds of cabinets in basements, plant rooms, or even unmanned sites—places no one visits for months or even years. Why? Because these systems were built to run “that thing” which rarely, if ever, changes.
The Crown Jewels of OT are unique, and because of this uniqueness, considerations for implementing cyber security control require a tailored and robust approach.
Hidden Risks of OT Crown Jewels
Unlike IT systems, OT environments face challenges that require a different perspective on risk and security:
1. Legacy Systems: Often outdated, unpatched, and designed without cyber security in mind.
2. Physical Inaccessibility: Systems in remote or hard-to-reach locations are often overlooked.
3. Availability: Any downtime can result in significant financial, safety, and operational consequences.
This makes defence-in-depth not just a strategy but a necessity for securing OT systems.
