New Data Sheds Light on Industrial Cybersecurity Maturity and Blockers
In 2021, the need for OT cybersecurity has become increasingly apparent. A new focus on protecting physical environments is fueled by a combination of media headlines with SolarWinds, Oldsmar Water, Colonial Pipeline, and JBS breaches at the center, and a spate of US government initiatives focused on improving the cybersecurity of our critical infrastructure, including the White House National Security Memorandum, the Department of Energy’s 100-day electric plan, CISA’s cybersecurity performance goals and objectives for critical infrastructure control systems, and TSA’s 100-day pipeline plan.
To better understand the gaps and challenges and help reduce risk and exposure to cyber threats targeting industrial operations environments, Dragos teamed up with the Ponemon Institute, a leading research center dedicated to privacy, data protection, and information security policy.
Ponemon conducted a survey of 603 IT, IT Security, and OT security practitioners across the United States to assess the maturity of their industrial cybersecurity programs and understand the emphasis being placed on ICS/OT security at varying levels across their organizations.
This report uncovers some of the key cybersecurity challenges facing industrial organizations today and provides practical solutions on how an organization can mature its cybersecurity program long term.
Read on for an overview of the key findings from the 2021 State of Industrial Cyberesecurity, or download the full report now.
How Mature are ICS/OT Cybersecurity Programs?
Fifty percent of respondents are optimistic about the future of their ICS/OT cybersecurity program, with 21% of respondents saying their ICS/OT program activities have achieved full maturity and emerging threats drive priority actions.
A fully-mature cybersecurity program means C-level executives and the board of directors are regularly informed about the efficiency, effectiveness, and security of the program.
Twenty-nine percent of respondents say their organizations are in the late-middle stage, meaning there is C-level support, adequate budget, risk assessment, and a cross-functional team of SMEs working together cohesively to protect IT and OT networks.
While it’s good news to see half of our respondents trending toward full maturity of their ICS/OT cybersecurity programs, many industrial organizations may be struggling to even know where to begin. Conducting architecture reviews, risk assessments, and penetration tests are often the first steps towards building a comprehensive strategy.
Lack of ICS/OT Cybersecurity Expertise Hinders Allocation of Sufficient Resources
Most respondents say a lack of understanding about the cyber risks to industrial control systems (ICS) and operational technology (OT) limits the resources allocated to defend ICS/OT environments.
According to 56 percent of respondents, the primary blocker for investing in OT cybersecurity is that OT security is managed by the engineering department, which does not have security expertise, followed by 53 percent of respondents who say OT security is managed by an IT department without engineering expertise.
Accountability for the security of the ICS and OT environments is most often assigned to the VP of engineering and this function is most often considered a deterrent to investing in OT and ICS.The 2021 State of Industrial Cybersecurity, Ponemon Institute
Understanding the real risks to industrial operations starts with knowing the technology that puts organizations at risk and understanding how cyber threats are introduced to what’s traditionally – and incorrectly – considered an “air gapped” environment.
IT-OT Cultural Divide Limits Organizations’ Ability to Secure Operations
Cultural and technical differences must be overcome to have OT and IT work cohesively. Unexpectedly, the challenges often are not caused by competition for budget dollars and new security projects, which was reported by only 32 percent of respondents.
Rather, it is the cultural and technical differences between traditional IT-specific best practices and what is possible in OT environments, such as patch management and unique requirements of industrial automation equipment vendors, that cause conflicts between these two functions (50 percent and 44 percent of respondents, respectively).
Organizations need to create cross-functional teams of IT and OT practitioners to bridge this divide and a priority of these teams should be to inform C-level executives and the board of directors about the efficiency, effectiveness, and security of the ICS/OT cybersecurity program.
Growing an Industrial Cybersecurity Program
So, what can you do to effectively mature your ICS/OT cybersecurity program in 2022?
Based on the research, bridging the IT and OT cultural divide should be your first priority. Cross-functional teams of SMEs that regularly report to C-level executives and the board of directors can effectively build a unified strategy that secures both IT and OT environments.
Other recommendations include making an OT cybersecurity roadmap, investing in the right tools, and improving the specialized skills needed to effectively protect industrial control systems. Download the 2021 State of Industrial Cybersecurity now for more insights from the community safeguarding critical infrastructure and operations.
Read next blog post
Ready to put your insights into action?
Take the next steps and contact our team today.