What’s Behind the IT/OT Divide? 4 CISOs Weigh In

As cybersecurity risk and complexity continue to grow, how is the long-standing gap between IT and OT evolving? We asked four industrial security leaders that question and more in our recent webinar, What’s Behind the IT/OT Cultural Divide?

You can watch the recording here, or read on for the highlights.

Key Findings from the Ponemon Institute’s 2021 Report

We kicked off by revealing the findings of a survey conducted by cybersecurity analyst firm the Ponemon Institute. The Ponemon team questioned over 600 IT and OT security practitioners in the United States, across roles, company size, and 15 different industries. The results of the report, The 2021 State of Industrial Cybersecurity, show a true cross-section of the IT/OT field.

Key findings included:

• 50% of respondents are optimistic about the future of their ICS/OT cybersecurity program.
• Only 21% say their ICS/OT program activities have achieved full maturity.
• 45% of respondents believe their organizations are effective in discovering and maintaining an inventory of all devices attached on the OT network.
• 46% think their organizations are effective in gathering intelligence about threats to the ICS/OT environment.
• Cultural and technical differences, topped by patch management (50%) and the unique requirements of ICS vendors (44%), cause conflicts between the two functions.

In addition, the survey reported how responding organizations are experiencing and reacting to cyber threats. 63% had an ICS/OT cybersecurity incident in the past two years. Interestingly, the VP of Engineering is most often held accountable for ICS/OT security (25%), versus CISOs, at 12%, although 43% of respondents report that their organization lacks clear ownership of industrial cyber risk.

The results also made clear the financial impact of OT cybersecurity threats. The average cost per cybersecurity incident came in at $2,989,500 – and that is purely operational, without accounting for lost revenue or penalties and fines.

Navigating the IT/OT Cultural Divide & Talent Crunch

After covering the survey results, we turned it over to our panel of experienced CISOs (and coincidentally, all Air Force veterans!).

• Shon Gerber, CISO, INVISTA
• Paul Reyes, CISO, Vistra
• Doug Short, CIO and CISO, Trinity River Authority of Texas
• Steve Applegate, CISO, Dragos

The gentlemen set the stage by discussing the cultural differences between IT and OT. As one panelist put it, “For IT, security is king. For OT, it’s availability and the ability to operate.” This disparate focus is complicated by factors like OEM requirements and risk tolerance, as well as the idea – either perceived or legitimate – that “the other side” doesn’t have the necessary knowledge and experience to make the right decisions.

The panel shared their thoughts on the talent crunch in OT/IT as well. The Ponemon survey found that 50% of respondents cited “Unable to hire OT security professionals” as a primary blocker for investing in ICS and OT cybersecurity, and 49% say that “Hiring experts in OT and ICS cybersecurity” was a top investment priority in 2021.

The panelists emphasized that finding and retaining strong OT cyber professionals is often more about passion, focus, and culture than capabilities. In their opinion, it can be easier to take someone with experience in ICS/OT and “add” security versus moving someone from IT into OT due to the cultural differences. In a reference to the panel’s shared time in the Air Force, they spoke of the criticality of operational focus: driving towards a primary mission of, for example, providing clean water, in contrast to making sure all the server lights are blinking.

Additional takeaways included the importance of:

• Baking security in across the board instead of “having 3 guys protecting everything.”
• Fostering diversity of thought by hiring people from different backgrounds.
• Helping team members learn to speak three “languages”: IT, OT, and leadership.
• Growing entry-level employees by giving them responsibility within the guardrails set by senior leaders.

5 Recommendations for Bridging the IT/OT Gap

The panel continued the webinar by discussing the impact of cyber incidents and ransomware. The survey results on this topic were revealing. Almost half – 29% – of the 63% of companies that experienced an ICS/OT cybersecurity incident in the past two years were hit with ransomware. Approximately half (51%) also paid heavily, reporting that their organizations paid an average ransom of more than $500k.

Finally, the group shared their takes on communicating ICS/OT information to their company Boards. According to the Ponemon Survey, 25% of organizations do not report ICS/OT initiatives to the Board. Our panel expects that to change as the threat landscape grows and IT/OT vulnerabilities become more high-profile and impactful.

To wrap up, we concluded with five recommendations to help IT and OT work together effectively to protect industrial organizations:

1 | Create cross-functional teams of IT and OT SMEs to bridge the cultural divide.

2 | Hold regular board meetings to discuss security safeguards and bottom line impact.

3 | Ensure enough budget and personnel to improve visibility and detection of threats and vulnerabilities across all environments.

4 | Map out threat-driven and consequence-driven scenarios most likely to impact high-priority assets.

5 | Leverage partners and 3rd parties to bridge internal gaps (e.g. with rapid incident response retainer) and tie it to the business problem.

Watch the complete webinar for all the insights from this experienced team, or download the Ponemon Institute report, The 2021 State of Industrial Cybersecurity, to review all the findings.