Divide between IT and OT teams stops businesses having a unified security strategy
A cultural divide between IT and operational technology (OT) teams is preventing organizations from having a unified strategy to protect both environments.
Only 21 percent of organizations have achieved full maturity of their ICS/OT cybersecurity program, in which emerging threats drive priority actions and C-level executives and the board are regularly informed about the state of their OT security.
This is despite 63 percent of organizations having an ICS/OT cybersecurity incident in the past two years, and it taking an average of 316 days to detect, investigate and remediate the incident. Digital transformation and trends in Industrial Internet of Things (IIoT) have also greatly expanded cyber risk to the OT and ICS environment according to 61 percent of respondents.
Just 43 percent of organizations have cybersecurity policies and procedures that are aligned with their ICS and OT security objectives. 39 percent have IT and OT teams that work together cohesively to achieve a mature security posture across both environments. 35 percent have a unified security strategy that secures both the IT and OT environments, despite the need for different controls and priorities.
"Most organizations lack the IT/OT governance framework needed to drive a unified security strategy, and that begins with the lack of OT-specific cybersecurity expertise in the organization," says Steve Applegate, chief information security officer at Dragos. "Bridging the cultural divide between IT and OT teams is a significant challenge. But organizations must not fall into the trap of thinking that OT can just be tacked onto an existing IT program or managed under a general IT umbrella. There are fundamental differences between the problems and goals of a corporate IT environment -- data safety and security -- and industrial environments, where human health and safety, loss of physical production, and facility shutdowns are real risks. Deep domain expertise as well as ICS/OT-specific technologies are both required to truly safeguard industrial systems."
Looking at the reasons behind the lack of collaboration, 44 percent of respondents say there are problematic technical differences between traditional IT-specific best practices and what is possible in OT environments, such as patch management and unique requirements of industrial automation equipment vendors. 43 percent of respondents say there is a lack of clear 'ownership' on industrial cyber risk and uncertainty around who leads the initiative, implements the controls and supports the program.
The full report is available from the Dragos site.