This session will explore the unique challenges of third-party risk management in OT environments compared to IT. While IT often focuses on product security and vendor patches, OT introduces a distinct landscape.

In 2023, the U.S. SEC reported that 98% of organizations were linked to a third party that had experienced a cyber breach. Gartner also reports that third-party breaches typically cost 40% more to resolve than internal security incidents. Additionally, supply chain attacks skyrocketed by 742% leading up to 2022, with global damages expected to reach $138 billion by 2031.

So, how can IT and OT collaborate to close security gaps to mitigate severe risks of disruption and compromise?

We’ll explore:

1. Different Perspectives: Uncover the fundamental differences in third-party risk between OT and IT, and the role integrators and device manufacturers play. Vendor maintenance contracts frequently require remote access protocols that may violate internal policy. Regaining control of these environments from integration and support vendors is key to differentiating success in OT environments. 
2. Remote Access Complexity: Delve into the intricacies of third parties actively managing OT systems with remote, real-time troubleshooting, likening it to having a person physically present. 
3. Contractual Gaps: Explore the challenges tied to inadequate contractual safeguards for system owners leading to unpatched vulnerabilities, insecure configurations, and limited real-time monitoring and control. 
4. Mitigating Threats: Learn actionable strategies to mitigate risks stemming from disgruntled or malicious third-party employees, including threat actors, vendettas, or bribery. 
5. Security Measures: Gain insights into establishing direct control, real-time visibility, and non-repudiation in OT environments. Discover how to enable access as needed and implement procedures for real-time enablement and disablement.

Impact and Tangible Takeaways:

- Learn to actively control third-party access requirements in OT environments. 
- Explore real-time monitoring techniques to gain immediate insights into third-party activities. 
- Discover methods to swiftly and directly cut off access, reducing exposure to potential threats. 
- Understand how to set strict access limitations, ensuring third parties interact only where necessary. 
- Recognize the need for clear contractual language to address risks tied to third-party employees and data breaches. 
 
Throughout the presentation, I’ll reference a recent case study from my team, where a large organization, confident in its third-party vendor controls, discovered a major security breach at one of its plants.