How Organizations Can Grow Effectively In Cybersecurity For Critical Infrastructure Space The growth of IBM's OT security business has valuable insights as organizations seek to grow in this space either as providers or consumers of cybersecurity services

Businesses today are becoming highly interconnected, cutting across industries. This has resulted in an ever-growing spate of cyber-attacks, which are becoming very common. Interestingly, Critical infrastructure (CI) industries such as power, oil and gas, dams, mass transit, and water utilities have become prime targets. With the complexities of current geopolitics, major incidents such as Stuxnet virus, Colonial Pipeline hack, and malware attack on Kyiv's power grid are occurring with alarming regularity. As is evident from these incidents, the intent is more than a mere monetary payout, it is to cause major service disruptions to the targeted entities.

In the early 2010s, IBM security services recognized an urgent need for a comprehensive portfolio of offerings in a dedicated Operational Technology (OT) cybersecurity business. The impetus came from an increasing number of cybersecurity-related requests from their clients in the CI space. Incidents of cyber-attacks in legacy operational technology (OT) infrastructure and in the newer internet-of-things (IoT) devices were steadily growing.

"We had a strong business in the overall cybersecurity advisory space. However, OT cybersecurity was a completely new frontier. There was very little domain expertise to tap into, a shortage of highly skilled professionals and little collateral that we could use right away." says Krishna Chaitanya Tata, a senior OT security architect at IBM who was intimately involved in establishing this business. Another major challenge was that OT networks are made up of legacy equipment that is not well suited for security hardening. IoT was very new and security professionals were only beginning to understand its intricacies.

It was well understood by the IBM team tasked with setting this business up that the offerings portfolio will help in reducing disruptions of critical services for common citizens, like water and power. So, the portfolio needed to be watertight with clearly defined offerings and be tailored to the specific industry of clients. Data security concerns for instance within the power industry are different from those in the oil and gas industry

A lot of the initial ramp-up, therefore, involved establishing a thorough portfolio of service offerings, mapped to IBM's and their partners' suite of security products. Market research, which was very nascent at the time for OT security was also given priority to reinforce the business case. Independent analyst reports were assessed to obtain important metrics such as the Compound Annual Growth Rate (CAGR) of the market. Key collateral such as architectural blueprints and implementation best practices were created. Additionally, partnerships with various niche vendors in the OT security market were established.

Within a year of the germination of the business idea, the IBM OT security practice was formalized with a defined portfolio of offerings around data security, network security, intrusion detection, network segmentation and so on, all specific to OT networks.

Over the past half a decade, the OT security business has grown to be the most profitable within the company's security services business unit. The portfolio has grown substantially over the years as has the team of highly experienced OT security professionals.

With everything that has been achieved, IBM believes that the OT and IoT security space is only just starting to grow. "Cyber-attacks on critical infrastructure industries are constantly evolving. The attacks are getting increasingly sophisticated. IoT devices and cloud services are proliferating rapidly. We must keep pushing our boundaries and keep innovating in our solutions" says Krishna. When it comes to protecting critical infrastructure, as they say, there can never really be any downtime.