by Mike Magee
Policy compliance in operational technology (OT) systems is essential for safeguarding assets, ensuring safety, and maintaining system integrity. Historically, informational technology (IT) departments have often overlooked OT systems, but with advancing technology, IT now expects OT administrators to align with enterprise-level standards. Compliance in OT is far more than a box-checking exercise; it requires diligent data collection, log reviews, and activity monitoring. While manual reporting is challenging for OT administrators, many standard IT compliance tools are incompatible with OT environments. Nevertheless, OT administrators have some effective options for reducing the manual effort needed to track compliance.
Password Policies: Ideally, your OT system should integrate with a single sign-on (SSO) platform or similar password management tool. If this is not possible, configure system software to enforce complex passwords and require periodic resets. If the system cannot support these configurations, create recurring work tickets to prompt each user to review and update their credentials regularly.
Keeping Operating Systems Current: Ensuring systems run the latest operation system (OS) versions with compatible patches is critical. OT system applications often have code that is tightly coupled with the operating systems and thus can be negatively impacted by OS updates. OT vendors need to test and approve most updates before they are applied to an OT server or device. Monitoring software can help report when updates are needed and verify deployment, but if this is not available, set recurring work tickets every six months to review updates with both the vendor and your team.
Deploy Enterprise-Level Antivirus: Enterprise-level antivirus solutions typically include automated reporting on security incidents, malware, and suspicious activities. If this level of protection is unavailable, set up local antivirus tools to auto update, run daily full scans and weekly deep scans. Ensure staff understand the importance of alerts and know how to escalate them.
Network Monitoring and Asset Inventory: Knowing what devices are connected to the network and identifying new additions is essential. Since typical IT network scanning tools can disrupt OT networks, consider passive listening tools, which are more compatible but less common in OT. If passive tools are not available, work with your vendor to assign static Internet Protocol (IP) addresses (e.g., servers could use .100-.105, controllers .10-.50). Have your OT system generate a device report every six months to identify any unfamiliar devices needing investigation.
OT System Backups: Up-to-date backups are critical for OT system resiliency. While many OT systems rely on USB backups, this method is unreliable. Automated daily incremental and regular full backups to secure on-site or cloud storage is ideal. If this is not feasible, using a portable SSD for quarterly backups is a viable alternative, provided it is stored securely. Set up work tickets to remind staff or vendors to perform these backups regularly.
Budgeting for Ongoing Compliance: Budgeting is crucial to maintaining compliance. OT systems may require equipment upgrades, network infrastructure improvements, or software updates to stay compliant. OT administrators often struggle for representation in budget discussions, so developing a multi-year compliance strategy can help strengthen their case for funding.
In conclusion, achieving and maintaining policy compliance in OT systems requires a thoughtful approach that recognizes the unique challenges of these environments. While traditional IT compliance tools may not always apply, OT administrators can use targeted strategies to improve compliance, enhance security, and reduce manual workloads. Planning for compliance-related expenses and integrating suitable technologies will further support long-term success and alignment with IT standards.
Conclusion: The commercial real estate industry is facing growing regulatory demands, making compliance a critical focus area for property owners and managers. As these obligations increase in complexity, manual processes can no longer keep pace. Utilizing technology provides a powerful solution, offering real-time tracking, reducing the risk of errors, and streamlining operations. By utilizing new and existing tools, commercial real estate professionals can improve operational efficiency, ensure regulatory adherence, and reduce financial risks.
Looking towards the future as technology continues to advance, the future of compliance reporting in commercial real estate (CRE) is likely to become even more sophisticated, with AI and machine learning further enhancing predictive compliance management and risk mitigation. For those who are slow to adopt, the risk of falling behind is significant—both in terms of compliance and overall competitiveness in the market.