As cybersecurity risk and complexity continue to grow, how is the long-standing gap between IT and OT evolving? Dragos asked four industrial security leaders that question and more in our recent webinar, What’s Behind the IT/OT Cultural Divide?
Key Findings from the Ponemon Institute’s 2021 Report
We kicked off by revealing the findings of a survey conducted by cybersecurity analyst firm the Ponemon Institute. The Ponemon team questioned over 600 IT and OT security practitioners in the United States, across roles, company size and 15 different industries. The results of the report, The 2021 State of Industrial Cybersecurity, show a true cross-section of the IT/OT field.
Key findings included:
- 50% of respondents are optimistic about the future of their ICS/OT cybersecurity program.
- Only 21% say their ICS/OT program activities have achieved full maturity.
- 45% of respondents believe their organizations are effective in discovering and maintaining an inventory of all devices attached on the OT network.
- 46% think their organizations are effective in gathering intelligence about threats to the ICS/OT environment.
- Cultural and technical differences, topped by patch management (50%) and the unique requirements of ICS vendors (44%), cause conflicts between the two functions.
In addition, the survey reported how responding organizations are experiencing and reacting to cyber threats. 63% had an ICS/OT cybersecurity incident in the past two years. Interestingly, the VP of Engineering is most often held accountable for ICS/OT security (25%), versus CISOs, at 12%, although 43% of respondents report that their organization lacks clear ownership of industrial cyber risk.
The results also made clear the financial impact of OT cybersecurity threats. The average cost per cybersecurity incident came in at $2,989,500 – and that is purely operational, without accounting for lost revenue or penalties and fines.
Navigating the IT/OT cultural divide and talent crunch
After covering the survey results, we turned it over to our panel of experienced CISOs (and coincidentally, all Air Force veterans!).
- Shon Gerber, CISO, INVISTA
- Paul Reyes, CISO, Vistra
- Doug Short, CIO and CISO, Trinity River Authority of Texas
- Steve Applegate, CISO, Dragos
The gentlemen set the stage by discussing the cultural differences between IT and OT. As one panelist put it, “For IT, security is king. For OT, it’s availability and the ability to operate.” This disparate focus is complicated by factors like OEM requirements and risk tolerance, as well as the idea – either perceived or legitimate – that “the other side” doesn’t have the necessary knowledge and experience to make the right decisions.
The panel shared their thoughts on the talent crunch in IT/OT as well. The Ponemon survey found that 50% of respondents cited “Unable to hire OT security professionals” as a primary blocker for investing in ICS and OT cybersecurity, and 49% say that “Hiring experts in OT and ICS cybersecurity” was a top investment priority in 2021.
The panelists emphasized that finding and retaining strong OT cyber professionals is often more about passion, focus and culture than capabilities. In their opinion, it can be easier to take someone with experience in ICS/OT and “add” security versus moving someone from IT into OT due to the cultural differences. In a reference to the panel’s shared time in the Air Force, they spoke of the criticality of operational focus: driving towards a primary mission of, for example, providing clean water, in contrast to making sure all the server lights are blinking.
Additional takeaways included the importance of:
- Baking security in across the board instead of “having three guys protecting everything.”
- Fostering diversity of thought by hiring people from different backgrounds.
- Helping team members learn to speak three “languages”: IT, OT and leadership.
- Growing entry-level employees by giving them responsibility within the guardrails set by senior leaders.
Five recommendations for bridging the IT/OT divide
The panel continued the webinar by discussing the impact of cyber incidents and ransomware. The survey results on this topic were revealing. Almost half – 29% – of the 63% of companies that experienced an ICS/OT cybersecurity incident in the past two years were hit with ransomware. Approximately half (51%) also paid heavily, reporting that their organizations paid an average ransom of more than $500k.
Finally, the group shared their takes on communicating ICS/OT information to their company Boards. According to the Ponemon Survey, 25% of organizations do not report ICS/OT initiatives to the Board. Our panel expects that to change as the threat landscape grows and IT/OT vulnerabilities become more high-profile and impactful.
To wrap up, Dragos concluded with five recommendations to help converge the IT/OT divide and work together effectively to protect industrial organizations:
- Create cross-functional teams of IT and OT SMEs to bridge the cultural divide.
- Hold regular board meetings to discuss security safeguards and bottom line impact.
- Ensure enough budget and personnel to improve visibility and detection of threats and vulnerabilities across all environments.
- Map out threat-driven and consequence-driven scenarios most likely to impact high-priority assets.
- Leverage partners and 3rd parties to bridge internal gaps (e.g. with rapid incident response retainer) and tie it to the business problem.