The cultural divide between IT and OT is creating cybersecurity risks. That is the conclusion of the latest Ponemon report sponsored by Dragos. The report is titled “The 2021 State of Industrial Cybersecurity: The Risks Created by the Cultural Divide Between the IT & OT Teams” (registration required). It is based on the attitudes of 602 IT, IT security and OT security practitioners in the US. All have senior roles and are familiar with their organisations’ cybersecurity initiatives and ICS and OT security practices.
Steve Applegate, Chief Information Security Officer, Dragos, Inc, said: “Most organizations lack the IT/OT governance framework needed to drive a unified security strategy, and that begins with the lack of OT-specific cybersecurity expertise in the organization.
“Bridging the cultural divide between IT and OT teams is a significant challenge. But organizations must not fall into the trap of thinking that OT can just be tacked onto an existing IT program or managed under a general IT umbrella.
“There are fundamental differences between the problems and goals of a corporate IT environment—data safety and security—and industrial environments, where human health and safety, loss of physical production, and facility shutdowns are real risks. Deep domain expertise as well as ICS/OT-specific technologies are both required to truly safeguard industrial systems.”
For anyone familiar with the world of OT and IT security, there is little in this report that will surprise them. However, for those without that experience, this report will serve as a wake-up call.
Some key findings from the report
There are a lot of numbers in this report and many will apply solely to very large organisations. That does not mean that smaller companies should ignore the report. They are at just as much, if not more, at risk than bigger organisations. They are seen as the gateway for supply chain attacks, especially as IT and OT systems become more integrated across multiple organisations.
- The report found only 21% of organizations have achieved full maturity of their ICS/OT cybersecurity program, in which emerging threats drive priority actions and C-level executives and the board are regularly informed about the state of their OT security.
- 63% of organizations had an ICS/OT cybersecurity incident in the past two years, and it took an average of 316 days to detect, investigate and remediate the incident.
- Digital transformation and trends in Industrial Internet of Things (IIoT) have greatly expanded cyber risk to the OT and ICS environment according to 61% of respondents who either agree or strongly agree.
- Only 43% of organizations have cybersecurity policies and procedures that are aligned with their ICS and OT security objectives.
- Thirty-nine percent have IT and OT teams that work together cohesively to achieve a mature security posture across both environments.
- Just 35% have a unified security strategy that secures both the IT and OT environments, despite the need for different controls and priorities.
- Only 35% of respondents say someone responsible for ICS and OT cybersecurity reports IT and cybersecurity initiatives to the board of directors. Of these respondents, 41% say such reporting takes place only when a security incident occurs.
What is the root cause of the problem?
It’s a case of two world’s colliding. Two different groups with vastly different approaches to the deployment of systems and what is important. IT security teams look at systems and attempt to secure them on a least privilege level. OT security is more about keeping the systems running with often little detailed security and rarely any privilege controls.
In the past, both groups have operated in relative isolation from each other. As digitisation has increased, the systems each group is responsible for are becoming intertwined. Operationally, it makes sense to have them interoperable. Practically, that move is the root cause of this issue.
The report encapsulates it nicely: “The safety, security, and reliability of OT systems has always been the responsibility of engineers and operators. Now that these systems have undergone digitalization, that does not mean the cyber risk magically shifts elsewhere. Those OT teams will need training, tools, and support—but risk ownership is still the same”
This “shift elsewhere” is not a new issue. Many organisations that take on cloud-based cybersecurity services seem to think it absolves them of liability. It doesn’t. When things go wrong, legal liability still sits with the data owner, not the service provider managing it. And that is where we are here. IT is, in effect, managing OT systems on behalf of those engineers. But those same engineers still need to be responsible for their systems.
What is in the report?
There are several sections in the report, and all are worth the time reading. It begins with a definition of industrial cyber risk that is comprehensive. This is followed by a walkthrough of how to understand the elements in a cyber risk equation. It also leads to an explanation of how organisations can build risk management progress to establish key concepts. While this is focused here on industrial cyber, it is a process that can be applied to any environment.
The report then breaks down the five key steps in the Dragos industrial cyber risk management process. Each of these has its own detailed section describing how organisations can apply that step.
Importantly it also says: “This guideline is not intended to reinvent the wheel for risk management. It is designed to supplement existing risk management processes with expertise required to manage cyber risks specific to operational technology.” It is a refreshing approach and shows how cyber risk is an organisational, not a function-driven issue.
For managers, there is a section towards the end that warrants reading multiple times. It deals with the risk communication process, something that many organisations struggle with. Providing a practical section for senior managers is rare in industry reports. Most have a small call to action, but they can rarely be used as a management guide.
Enterprise Times: What does this mean?
Bringing IT and OT operations together is essential, but it cannot be done without the right guidance and frameworks. To date, many of those have been in short supply. That is changing, as this document shows, and it is a good thing.
We are moving towards a world where we see smarter buildings, infrastructure and cities. All of these will consist of a mix of IT and OT systems, including critical infrastructure. How they interact and are secured needs to be a priority. Without it, cybercriminals will continue to wreak havoc on systems. More importantly, the threat that they will pose will not just be reputational or financial. Without being overly dramatic, attacks against OT systems have the potential to threaten lives.
Organisations need to sit IT and OT teams down and draw up new guidelines for engagement. They need to overhaul processes that might be set in stone but now need to be reset to be fit for purpose. Importantly, as this report shows, this is not about throwing away existing processes. It is about building new processes that can draw on what is there. It is an approach that does not risk isolating anyone.