The cost of technical debt associated with operational technology (OT) and industrial control systems (ICS) is high. Technical debt leads to increased operations costs as teams fight to maintain outdated systems, and security teams struggle to keep those same systems secure, often through compensating controls. Technical debt is often created by neglecting systems or delaying system and software updates and upgrades. As long as this continues, outdated systems continue to grow.
Once a certain amount of technical debt becomes entrenched in an environment, an organization will have a more significant challenge keeping pace with evolving technology and changing business conditions. That’s because running outdated technology inhibits integrating new systems in that environment. Over time, trying to keep outdated systems relevant can become more costly.
Because aging equipment and software are often no longer supported by the manufacturer, it’s likely not to receive critical security fixes should vulnerabilities be uncovered. This is one of the reasons why experts expect successful attacks on operational technology (OT) environments to continue to rise.
“Addressing technical debt is crucial not only for maintaining operational efficiency but also for ensuring robust security measures are in place to protect against evolving threats,” says Garry Drummond, CEO of LOCH Technologies.
Once organizations recognize that technical debt comes with security, operational, and opportunity costs, they can decide to pay it down over time. But succeeding is going to require a strategy.
“Balancing immediate operational needs with long-term strategic planning is key to effectively managing and overcoming technical debt. This requires a strategic approach that balances immediate needs with long-term sustainability.,” Drummond adds.
Robin Berthier, CEO at Network Perception, says that strategy should include regular identification and prioritization of areas where legacy systems need updates or replacement.
"Balancing immediate operational needs with long-term strategic planning is key to effectively managing and overcoming technical debt."
—Garry Drummond, LOCH Technologies
“Emphasizing investments in solutions that offer greater integration and flexibility between IT and OT layers is crucial. Adopting a phased approach to upgrading systems, particularly at Level 3 (of the Purdue Model), helps minimize operational disruptions. It’s also essential to foster a culture of continuous improvement and learning, ensuring that staff are well-versed in the complexities of integrated IT/OT environments,” Berthier says.
In our discussions with experts, they recommended the following:
Attain Complete Visibility: Attain comprehensive visibility of OT/ICS assets, document their lifecycle, and how well the device operates. Also, take note of devices that are out of support by their manufacturer. “Conducting a thorough assessment of your existing infrastructure to identify areas of technical debt, prioritizing which debts to address first based on their impact on security, efficiency, and business operations,” says Drummond.
Quantify Technical Debt: With an asset inventory, baseline the organization’s technical debt costs. This can be measured in opportunity costs (those costs stemming from an inability to deploy new technologies that expand or optimize the organization’s capabilities) and measure overall operational, opportunity, and security risks.
Allocate Resources and Budget to Pay Down Debt: Secure executive sponsorship for the debt reduction plan. Address pushback by showing the risks and costs associated with the outdated systems. “Ensure that there is a dedicated budget and resources for reducing technical debt. This may involve reallocating funds from other areas or investing in new tools and technologies,” Drummond says.
Prioritize System Modernization: What systems should be modernized first? “Not all technical debts are equally critical. Prioritize them based on factors like risk, impact on performance, and the cost of resolving them. High-risk issues, especially those affecting security, should be at the top of the list,” Drummond says.
Keep Debt Low Over Time: Ideally, this is done by continuously reviewing systems for new debts that arise and managing them before they grow problematic.
Jonathan Sword, director at cybersecurity consultancy Agility Cyber, says technical debt is impossible to avoid entirely.
“However, it can be reduced and managed effectively. OT devices, in particular, are designed to last a long time, reliability-wise, versus being constantly updated with new features,” he says. “Whilst there’s often gateways that can allow legacy components to function and supply the data to modern management and monitoring solutions,” he says.
Sword believes this is best achieved by building the environment as discrete components rather than a handful of full-featured OT devices. This micro-service style approach means the organization meets its functional and security requirements.
Still, when new capability is required, it can simply be added, or existing singular components replaced, rather than having the technical debt of re-architecting and procuring an entire deployment,” he says.
George V. Hulme is an award-winning journalist and internationally recognized information security and business technology writer. He has covered business, technology, and IT security topics for more than 20 years. His work has appeared in CSOOnline, ComputerWorld, InformationWeek, Security Boulevard, and dozens of other technology publications. He is also a founding editor at DevOps.com.