Picture this:
A security manager sits down with a whiteboard and a mandate from leadership to finally get serious about OT security across the organization. The plan starts to take shape — dozens of security appliances spanning multiple plant sites, SPAN ports configured on every critical network segment, and a monitoring architecture that would deliver the kind of deep visibility the team has never had before. The executives are thrilled: improved maturity scores all around!
It sounds perfect, it’s ambitious, it’s thorough, and it feels like real progress. But then the budget and task spreadsheet starts telling a different story:
New switches and cable runs to support the SPAN collection, rack space for dedicated appliances, power and HVAC upgrades, installation labor, and the ongoing maintenance cost of the new infrastructure — the number at the bottom of the page shatters that vision. The hidden costs are 3X the price of the OT security product itself, and the site manager’s KPIs? Well, they are all about revenue, output and uptime.
And suddenly, the question isn’t whether the organization should invest in OT security — it’s whether there’s a smarter way to get there without letting the infrastructure tail wag the security dog.
Based on many discussions we had during the S4x26 ICS security conference, and feedback from customers, we wanted to outline a practical and cost efficient plan to achieving effective OT security.
This two-part blog series lays out practical advice on how to get your OT security program started. This first in the series outlines what we are calling a starter pack framework organized around people, process, and technology (PPT) — to help mid-sized industrial operations build a credible cybersecurity foundation without breaking the bank. The second blog will unpack aspects around total cost of ownership (TCO) and using technology refresh cycles strategically.
The Starter Pack Framework — People, Process, and Technology on a Budget
This framework isn’t about buying the most expensive tool. It’s about making sequenced, intelligent investments that deliver the most security coverage per dollar — while respecting the human and operational constraints you actually face.
People — Working with the Team You’ve Got
Most mid-sized operations won’t hire a dedicated OT security person. That responsibility will land on someone already wearing five hats — a plant engineer, an IT generalist, an OT manager. How this plays out is all too common for folks in the field: people get “tapped on the shoulder” and told they’re now responsible for OT security. Most of these people are not cyber and network wizards.
Accept this as a design constraint, not a problem to solve with headcount. Solutions that demand dedicated staff to operate are non-starters. Look instead for tools with automated asset discovery, pre-built dashboards, and managed service tiers that offload the analysis burden.
Cross-training beats hiring. Leverage vendor training programs, cybersecurity association local chapters which are seeing increasing OT security engagement, and community events to build competence across your existing team incrementally.
Process — Start with What Enables the Business, not a Compliance Checklist
Forget maturity models that assume resources you don’t have. Start with a good ol’ site walkaround, get out the whiteboard, plug into a console and dump network and routing tables. It would be logical to say start with visibility, but asset inventory is step zero. However, you don’t have to boil the ocean. Most of the senior folks at the plant haven’t been sitting idle — most know what will cause a bad day, and the site manager (or senior process engineer) knows what machines make the revenue, or which system will burn revenue and hurt forecasts. Start somewhere, and with something — don’t wait for perfect.
Next, treat network segmentation as a process decision, and as a way to optimize both performance and your defensive position. Identify your most critical equipment and systems and start your segmentation project there. And of course, begin with defining what the Minimal Viable Security Stack is for your organization, your business units, and your sites.
Technology — The Minimum Viable Security Stack
Tier 1 — Get Started. A firewall/router to create an industrial DMZ, isolating your IT network from the OT network is step one. Next a Layer 3 managed switch in Purdue Level 3 forms the foundation. Deploy a lightweight OT visibility solution like Cisco Cyber Vision that runs on the switch, giving you North-South visibility and the ability to start identifying key assets. Or, if you are still early in that journey – with the right devices at key locations, you can collect NetFlow data for debugging, performance analysis. You can always begin with a free version, and upgrade as you go from this tool, to Splunk.
Tier 2 — Deeper Visibility. The next goal should be to expand deployment of the visibility solution to lower levels in the OT network (Purdue Levels 0-2), by embedding the sensor in switches or as a container on industrial compute if existing switches don’t support it. With the investments from Tier 1, further visibility if tied into the facility’s entire network stack, and initial monitoring infrastructure – the gains will begin to multiply; it won’t just be about security anymore.
Tier 3 – Start to build an evidence-based security governance program. Leverage free or low-cost solutions where they exist — tools like Splunk’s free data ingest tier can give you vulnerability and security posture dashboards out of the box. Ingesting OT security telemetry into Splunk can enable you to start building out a security governance program.
Be Careful of the Hidden Cost — SPAN Architectures. If you’re considering passive monitoring via SPAN or mirror ports, factor in infrastructure realities. Many facilities still run 50 Mbps uplinks. Deploying new cable runs for facilities is expensive. For large multi-site operations, SPAN costs, multiplied across dozens of factories, can dwarf software licensing. For small operations, SPAN is usually manageable but know the cost before you commit.
Take the First Step
Every organization will have a unique people, process and technology mix. Think of what yours can be. Identify possible gaps and build a plan to address them in a sequenced investment rather than attempting to tackle every aspect all at once. Remember that getting your OT security program started requires the basics — and the basics are surprisingly affordable.
Start for instance by identifying your crown jewels and focusing on developing security controls to safeguard these critical assets and systems. Over time, it will become clear as to what a minimum viable security stack looks like for your environment and what additional investment is needed to adequately safeguard it.
In the second blog we will take a closer look at the total cost of ownership (TCO) aspect to address OT security needs. We also focus on being strategic and using the opportunities that technology refresh cycles present.