IT and OT divide hampers security strategy

Only 21% of organizations have a mature cybersecurity program for Industrial Control Systems (ICS) and Operational Technology (OT). As a result, the average cost of security incidents against these targets is around US$3 million, with this figure reaching more than US$100 million in some cases. The data is from “The 2021 State of Industrial Cybersecurity” report prepared by Ponemon Institute and Dragos, which was based on data compiled among 600 US-based IT, IT security, and OT professionals.

The study identified that 63% of the organizations surveyed had a cybersecurity incident in the ICS/OT areas in the last two years and took an average of 316 days to detect, investigate and correct the breaches. For 61% of respondents, digital transformation and trends related to the Industrial Internet of Things (IIoT) have greatly elevated cyber risks in the industries’ environment.

“Most organizations lack the IT/OT governance structure required to maintain a unified cybersecurity strategy. And that starts with a lack of OT-specific cybersecurity expertise,” explains Steve Applegate, director at Dragos. “Bridging the cultural divide between IT and OT teams is a significant challenge, but organizations should not fall into the trap of thinking that OT systems can simply be bundled into an existing IT program or managed under the IT umbrella,” he

According to him, there are fundamental differences between the problems and objectives of the IT environment – in short, security and data protection – and the industrial environment, in which employee health and safety, production downtime, and plant shutdowns are real risks.

The report’s findings suggest that misunderstanding between the groups, rather than conflict, is the main issue. Only 32% cite competition between IT and OT on budget and new security projects, and only 27% see the difficulty in converging IT and OT security teams as a comprehensive program.

Half of the respondents say cultural differences between teams are the main challenge. Another 44% say there are problematic technical differences between IT group best practices and what can be done in OT environments, such as patch management and requirements associated with industrial automation equipment vendors. A share of 43% says there is a lack of “clear accountability” for industrial cyber risks and uncertainty about who should lead the initiative, implement the controls and support the programs.

In addition, C-level executives and the companies’ board of directors are not regularly informed about the efficiency and effectiveness of the programs. Only 35% of respondents say there is someone responsible for this reporting, and 41% say this report is delivered only when a security incident occurs.

Many senior managers are also unaware of the risks and threats associated with OT and ICS environments, resulting in the inadequate allocation of resources for risk management. Less than half (48%) of respondents say their organizations have an understanding of these specific risks and have cybersecurity processes and policies for OT and ICS environments. Only 43% of respondents say senior management also understands these risks and ensures sufficient resources to protect the environment.

Loss of confidence in systems is the top consequence of a cybersecurity incident, reported by 54% of respondents, followed by process inefficiency (49%) and loss of control availability (47%).

Despite the challenges, organizations are committed to making investments to improve the cybersecurity posture of ICS and OT environments. The top priority is investments in areas that assess weaknesses in the security posture of OT environments, according to 60% of respondents. Other initiatives aim to gather intelligence against specific threats (56%) and hire OT and ICS cybersecurity experts (49%).