A new report from specialist industrial cybersecurity firm Dragos finds that cultural divides and conflicts between IT and operational technology (OT) teams is a significant contributor to failures to secure industrial controls systems (ICS) in firms throughout the United States.
Fewer than half of organizations have cohesive policy that applies across these departments, nor is it the norm for these security teams to work together. Some of this can be attributed to C-level oversight, but the study also finds that these teams sometimes have perverse incentives due to competition for budget dollars and that entirely separate cultures tend to create communications issues.
As concerns about industrial cybersecurity grow, teams struggle to keep pace with threats
Industrial cybersecurity came roaring back into the front of the news cycle in 2021 with a series of high-profile attacks on critical infrastructure. Nowhere more so than in the US, where the Biden administration has begun applying new regulations to industries such as energy and water.
The study finds that this is more than just a temporary panic caused by several outlier attacks in close sequence. 63% of the organizations surveyed had an ICS/OT cybersecurity incident in the past two years, with an average response time of nearly a full year from initial detection to remediation of the incident. 61% of respondents agree that the risk of industrial cybersecurity incidents has increased recently, and threat actors certainly appear to be sensing opportunity in this area.
Conducted by Ponemon Institute, the study surveyed 603 US IT and OT professionals working in operations with industrial cybersecurity concerns at the C-suite or management level. The results indicate that cultural divide is the central factor that contributes to OT security issues.
Only 43% said that company cybersecurity policies and procedures were aligned with ICS and OT security objectives. 39% reported IT and OT teams working together in a “cohesive” way to achieve security objectives, and 35% said that the two teams have a unified security strategy aimed at negotiating different controls and priorities to equally secure both sides of the operation.
50% of the respondents do say that they feel optimistic about future teamwork in the industrial cybersecurity program. Only 21% report their programs being at full maturity at this point, however, with the C-suite regularly updated on the program’s safety and effectiveness. 29% say they are in the “late middle” stage of this process with a general bridging of the cultural divide between executives, the IT team and the OT team. That leaves half that still feel there is a great deal of work to do.
New to this year’s report is an estimate of the average cost of an industrial cybersecurity incident: $2,989,550 for 2020. The vast majority of this is in after-the-fact remediation costs: a little over $2 million for downtime, equipment replacement and fines. The rest of the cost went to incident response and threat hunting that involved an average of six IT and OT professionals.
Cultural divide appears to play a strong role in budgeting issues. 56% of respondents say that OT cybersecurity is managed by an engineering department that does not have cybersecurity experience; 53% say that OT security is managed by an IT department that does not have industrial cybersecurity experience. Most respondents say that they report either to the VP of Engineering or IT management on industrial cybersecurity issues, with only 12% saying that the CISO is responsible for these programs.
OT environment sees cultural divide with both IT and C-suite
The cultural divide extends to boardrooms that tend to not be well-informed about industrial cybersecurity programs, with only 38% discussing OT and IT safeguards during meetings and only 36% asking for presentations on the effectiveness of security measures.
32% say that the cultural divide between IT and OT is informed by a competition for budget money. But respondents say that a larger problem is lack of coordination of practices between the two worlds. 50% say that the unique needs of patch management in the OT environment are not adequately handled by IT, and 44% say that industrial automation equipment vendors have their own unique needs that are not necessarily being accounted for by cybersecurity procedures.
The study also finds that intelligence gathering is not necessarily covering the industrial cybersecurity environment. Only 46% felt that they were effective about gathering intelligence on threats to OT, and 45% said that they had an accurate inventory of all of the devices in the OT network.
Respondents ultimately named cultural differences between security, engineers and IT staff as the primary challenge in industrial cybersecurity. This was followed closely by technical differences between IT and OT practices, and a lack of clear ownership of initiatives and programs. While it was a slightly smaller factor, 41% of organizations also said that they are still struggling to hire professionals that have IT-OT experience.
