Cybersecurity Asset Management, ICS security

When IT and OT are in a tug-of-war over ICS security ownership, everybody loses

The Royal Navy team competes in a tug of war competition at the 2017 Braemar Gathering in Scotland. (Photo by Chris Jackson/Getty Images)

The cultural divide that exists between IT security professionals and OT engineers is among the chief barriers preventing industrial organizations from developing a fully mature security program that protects both IT and OT systems, a new survey-based report states. And according to the two companies behind the research, one of the best ways to bridge this gap is to develop a unified IT/OT governance model for ICS security.

This cultural schism between organizations' IT and OT personnel is sometimes the result of both distrust among factions, as well as a lack of awareness as to how each group typically operates within its respective environment.

“People who are in the on the OT or ICS side of the house are basically engineers. They speak a different language than people on the IT side,” said Larry Ponemon, chairman and founder of the Ponemon Institute, which published its “2021 State of Industrial Cybersecurity Report” this week.

Ben Miller, vice president of professional services and R&D at Dragos, which sponsored the research, agreed: “The traditional teams simply do not have visibility into these OT industrial control systems environments in order to properly defend them, and the engineering team and the facilities themselves don't have the expertise to create that visibility and do the monitoring that's truly needed on the cybersecurity side,” he said. “And so this lack of trust is just amplifying all these problems.”

Cultural divide between IT and OT runs deep

The roots of distrust can run deeper than you might even think.

“IT may have had may have had a misunderstanding 10 years ago and caused an outage,” Miller continued, speaking alongside Ponemon in a joint interview with SC Media. “That memory stays with the engineering team over time; it does not go away. So one misstep like that can have a pretty large impact on the relationship over the long term. And there’s a constant tension of availability … that's often felt across these teams.”

There’s also a tendency for the IT and OT sides to keep to themselves.

“A lot of the folks who operate on both the OT and IT side … operate on a more decentralized level, which creates some serious dysfunction, noted Ponemon. “[They] feel that the work they do is unique, and it's not something that's shareable with other parts of the organization.”

A lack of clear-cut governance also contributes to the problem: “In some ways, it very much feels like there's not a grown up in the room telling them what is actually needed from a governance perspective. … And so there's a bit of a bit of a blurred line on who truly owns cybersecurity,” said Miller. 

In fact, it’s not uncommon for IT and OT to have their own separate budgets for securing a facility’s operations. “Both have an ownership; therefore neither has an ownership,” said Miller. “And that's where a lot of the challenges come into play where it becomes a little bit of a turf battle on who has … control. … And so in some ways they're circling around each other, rather than working together.”

For its research, Ponemon surveyed 603 IT, IT security and OT professionals. Among this group, only 21% said that their ICS/OT program activities have reached full maturity, which would mean that their security responses are prioritized and driven by emerging threats and top-level executives are kept regularly informed of security developments.

Moreover, only 43% said that cybersecurity policies and procedures are aligned with OT/ICS security objectives, 39% said IT and OT teams work cohesively to reach a mature security posture, and a mere 35% said that their organization has a unified security strategy that properly secures both IT and OT environments.

“We basically see this as a problem that if not fixed, can actually be very costly to your organization,” said Ponemon, whose research found that the average cost of a cybersecurity incident in an ICS/OT environment is $2,989,550 – though this does not even factor in loss of business from an attack, which would result in additional financial damages.

While 50% of respondents named cultural differences as being a primary obstacle preventing IT and OT from working together cohesively under a unified security vision, 44% also cited technical disparities as a major issue (individuals were allowed to choose more than one). Notable differences include how IT and OT factions go about patching vulnerabilities and also and the unique requirements of industrial automation equipment vendors.

For instance, said Miller, a cybersecurity or IT team might want to shut down a device to patch a bug found in its software even though fixing it doesn’t materially change its risk or vulnerability status. From an engineer’s perspective, this might just be wasting productivity for a nominal change in security posture.

Another example: OT operating environments may have very long-term partnership with certain third-party OEM vendors that the IT/security department has limited visibility into, which can cause frustration from a cybersecurity perspective.

The good news, said Ponemon, is that “companies are becoming more aware of the cultural divide, and there seems to be an appetite to invest in technologies and maybe governance practices, because it is now viewed as something that's substantial and important.”

But what does it take to establish a IT/OT governance framework, and how does an organization ensure that ICS security is properly incorporated into this vision?

“It starts with asking the very specific questions to understand what is in scope and what is not in scope,” said Miller. “If the board of directors is looking [to assess] how their enterprise security is, there's almost an inherent assumption that their most critical facilities are part of that discussion when it's presented to them. And often it is not. It is instead on workstations and ERP systems and email systems. And so it's important to understand in the conversation, what is included in that and what's not included in that by asking very detailed questions.”

prestitial ad