Partnering With the Legal Team on OT Cybersecurity

With proper coordination, legal counsel can be a key partner for security teams, helping them make headway on their OT vulnerabilities while limiting legal risk.

Ben Miller, Vice President of Professional Services and R&D, Dragos, Inc.

August 12, 2021

5 Min Read

Any operational technology (OT) cybersecurity leader worth their salt knows it's impossible to manage risks you don't know about. Risk assessments, penetration tests, vulnerability assessments, and discovery exercises are crucial for building up a cybersecurity program. These are the tools by which a cybersecurity team can identify and enumerate risks so they can address them.

Finding and addressing security flaws is the most important step a company can take to reduce associated legal risks. But it's also possible to create unnecessary legal risk during an assessment, particularly if your company identifies problems but then fails to respond. Legal counsel can be an important partner for a security team to the extent that it helps identify and avoid such pitfalls throughout an assessment and other security activities. Through coordination of the security and legal teams (and other stakeholders as needed), a company can both mature its OT cybersecurity processes and avoid legal risk along the way.

OT Cybersecurity Has High (Legal) Stakes
Potential legal consequences from cyber deficiencies are significant. Even a seemingly minor incident or vulnerability can be burdensome to manage.

These legal risks are particularly magnified when vulnerabilities are identified in the OT that runs a company's industrial systems. OT systems are the physical world cousins of IT systems. They can run anything from building automation to power generation plants to expensive manufacturing equipment. They are also often highly connected, sometimes running on similar operating systems, and may be equally vulnerable to cyberattacks.

But OT systems also differ substantially from IT systems. They have a distinct set of protocols and often include a range of OEM vendors using a variety of embedded systems and software. Software update frequency may be subject to contractual and practical limitations, and they typically run much lower tolerances for downtime. That's because when these systems go down or malfunction, the disruptions can directly affect and halt the core functionality of the business. Even more worrisome is the risk to human safety, particularly in industries like energy and utilities, manufacturing, transportation, and mining. Ultimately, OT risks directly influence environmental, social, and governance (ESG) matters.

Needless to say, the legal exposure from such incidents could be vast, whether through private lawsuits or regulatory enforcement.

OT Cybersecurity Isn't Easy
OT systems operate under very different compliance regimes than IT systems, and they're frequently outside the purview of the CIO or technology leadership. Further complicating matters, it can be difficult for cybersecurity leaders to build necessary internal relationships and get the access they need to gain visibility into their OT environments.

OT penetration tests and vulnerability assessments need to be run differently to account for the unique exigencies of OT uptime and health and safety requirements. Adding further complexity, even when a cybersecurity team has coordinated with industrial operators to perform security assessments on these OT systems, it can take a lot of technical work and time to mitigate the security gaps found within them. And of course no company wants to find a vulnerability only for it to be exploited before the company is able to secure its systems.

At the same time, that flaw will exist whether an organization knows about it or not. And the only way to address it is to test for it, come up with a plan to fix it, and execute on that plan. So security pros have to find a way to do what they must on OT cybersecurity — and allow other business leaders to sleep at night.

Why Partner With Legal?
Lawyers aren't technical experts, but they can help security teams do their work in a way that best protects the company from legal risk. A legal team can tell you what you can and cannot do from a legal perspective, of course. They'll also advise you in an incident and defend the company's security practices if it comes to litigation. They can also be valuable partners well before that point, including by helping you organize your security program, build relationships across stakeholders, navigate issues that you wouldn't have considered, and weigh the range of risks associated with OT security.

For example, the legal team can help you address distinct OT cybersecurity challenges that aren't covered under the typical enterprise IT playbook. Organizational structures and relationships that support enterprise IT security typically don't apply to OT security. Companies generally need to build separate internal structures and relationships to support OT security and associated legal risk management. This includes the group that holds ownership and accountability over the physical equipment and infrastructure; a group that usually does not fall under the IT business unit or the CIO's operation. The legal team often can play an important role in helping coordinate these stakeholders, including by explaining the legal imperative for effective collaborative.

Cybersecurity leaders also benefit from working with counsel when assessing cyber-risks. Candidly discussing OT cyber-risks facing the company and the associated legal risks is a key step toward mitigating them. Holding those conversations subject to legal privilege protections facilitates frank discussions. (With exception, such advice should not be disclosed in court if the worst-case scenario does occur.)

While the law of privilege and the application of attorney-client relationships to third-party technology vendors and security engineers continues to evolve, retaining security vendors to perform penetration tests and other assessments under privilege will be critical. This means ensuring the statement of work (SOW) makes clear the activity will inform legal advice provided by counsel. Limiting distribution of a subsequent report and having the budget for these tests come directly out of the legal department will further strengthen privilege arguments.

In short, partnering with legal can help security teams make headway on their OT vulnerabilities — and otherwise advance their OT security programs — while limiting legal risk. Done right, the partnership between security and legal is a win-win for risk assessments and other security priorities.

About the Author(s)

Ben Miller

Vice President of Professional Services and R&D, Dragos, Inc.

Ben Miller is Vice President of Professional Services and R&D with Dragos, Inc., where he leads a team of analysts in performing active defense inside of ICS/SCADA networks. He is responsible for a range of services, including threat hunting, incident response, penetration testing, assessments for the industrial community, and advanced research and innovation within ICS security. 

Prior to Dragos, Inc., Ben was Associate Director, Electricity Information Sharing & Analysis Center (Electricity ISAC), and led cyber analysis for the sector. Ben and his team focused on leading edge cyber activities related to the North American bulk electric system. He was recognized as instrumental in building new capabilities surrounding information sharing and analytics in his five years at the E-ISAC. 

Ben has spoken at venues including Black Hat, SANS, ICSJWG, ShmooCon, and others. SANS recognized him as a 2017 Difference Maker Award Winner for his contributions to the electricity sector.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights