Study: Cybersecurity strategy often stymied by IT/OT cultural divide

According to a report conducted by the Ponemon Institute and OT cybersecurity firm Dragos, Inc., only 35% of firms surveyed said they have a unified security strategy that secures both their IT and industrial controls systems (ICS)/OT environments. In addition, the study states that only 43% of organizations said they have cybersecurity policies and procedures that are aligned with their ICS and OT security objectives.

This despite the fact that 63% of organizations reported having had an ICS/OT cybersecurity incident in the past two years – events that took an average of 316 days to detect, investigate and remediate. In addition, 61% of respondents either agreed or strongly agreed with the statement “digital transformation and trends in IIoT have greatly expanded cyber risk to the OT and ICS environment”.

At the heart of the problem, the report finds, is a cultural divide between the IT and OT teams; according to the report, only 39% of survey respondents said they have IT and OT teams that work together cohesively to achieve a mature security posture across both environments.

The nature of the divide isn’t as much about competition for budget dollars or new security projects, the report says, as it is about differing objectives. While IT security focuses on data safety and security, the OT side is concerned with facility shutdowns, health and safety and technical challenges specific to OT environments.

For example, 44% of respondents said there are problematic technical differences between traditional IT-specific best practices and what is possible in OT environments, such as patch management and unique requirements of industrial automation equipment vendors. In addition, 43% said there is a lack of clear “ownership” on industrial cyber risk and uncertainty around who leads the initiative, implements the controls and supports the program.

“Most organizations lack the IT/OT governance framework needed to drive a unified security strategy, and that begins with the lack of OT-specific cybersecurity expertise in the organization,” said Steve Applegate, chief information security officer for Dragos, Inc. “Bridging the cultural divide between IT and OT teams is a significant challenge. But organizations must not fall into the trap of thinking that OT can just be tacked onto an existing IT program or managed under a general IT umbrella.”

Beyond the IT/OT divide, another major problem, the report finds, is that many senior managers lack awareness of the risks and threats to the OT and ICS environments. Less than half (48%) of respondents say their organizations understand the unique cyber risks and have specific security processes and policies for OT and ICS environments. What’s more, 43% of respondents said senior management understands the cyber risks and provides enough resources to defend OT and ICS environments.

“A majority of C-level executives and boards of directors are uninformed about the efficiency, effectiveness and security of their ICS/OT cybersecurity programs,” said Dr. Larry Ponemon, Chairman and Founder, Ponemon Institute. “If the board isn’t keenly aware of the impact a cybersecurity incident would have on the bottom line, securing the appropriate amount of budget for OT programs is much more difficult. As evidenced by the report, this stems from a lack of clear ownership for ICS/OT risk and who reports that to the board between engineering, IT and CISOs.”

The report – “The 2021 State of Industrial Cybersecurity: The Risks Created by the Cultural Divide Between the IT & OT Teams” – surveyed 603 IT, IT security, and OT security practitioners at the managerial, director and C-level.
www.dragos.com