Integration of IT and OT concerns – and of IT and OT personnel – could help infrastructure providers reduce the risk of crippling cyberattacks. In its newly published report on comprehensive security strategies for critical infrastructure, Newsweek Vantage offers up a sobering number. Specifically, it states that fully 52% of the 415 C-level executives surveyed for the independent report identified the human component – that is, employees – as the biggest threat to their companies’ operational security.
The report qualifies this conclusion somewhat by explaining that 24% of the respondents had named unintentional security breaches by employees as one of their two main sources of risk, while another 28% pointed to intentional security violations. (Attacks by cyber-criminal groups, by contrast, drew votes from 47% of those surveyed.)
“The people, the process, and the awareness”
Despite this qualification, Newsweek Vantage groups deliberate and accidental security breaches by employees together because it sees them both as part of the same problem. In the report, it quotes Steven Mustard, a subject-matter expert at the International Society of Automation, as saying: “Cybersecurity technology is important, but actually, the people, the process, and the awareness are the things organizations need to work on.”
Mustard’s statement reinforces one of the report’s main points – namely, that infrastructure operators need more comprehensive and holistic security strategies that address both information technology (IT) and operational technology (OT), as well as the industrial internet of things (IIoT). It does so by stressing the fact that the cultural and communication gaps between OT and IT personnel contribute to security risks.
“OT and IT do not work well together”
The report traces these gaps back to the fact that OT and IT teams have different origins and different objectives.
Typically, it notes, IT staffers begin with the presumption that their duties include keeping their employers’ data and devices secure. They may also follow guidelines for environmental and risk tolerance guidelines that may not match established operational practices, and they sometimes resist efforts to bring operational and physical security concerns to their attention.
OT personnel, by contrast, tend to see efficiency, productivity, and continuity as their primary considerations, so they may devote insufficient attention to the security hazards that new technologies can present. Alternatively, they sometimes overlook (or may not recognize) the risks that older legacy systems can pose. And like their counterparts in IT, they may resist efforts to bring information security concerns to their attention.
As a result, Newsweek Vantage notes, “OT and IT do not work well together, despite many years of discussion” on how to bridge the gap between the two sides. This makes the process of formulating comprehensive security strategies for critical infrastructure very difficult.
The status quo is no longer acceptable
But this status quo is no longer acceptable. The stakes are simply too high, as connected OT and IIoT systems are becoming increasingly common (and increasingly important) for operators of crucial infrastructure such as utilities and transportation providers.
Under these circumstances, Newsweek Vantage argues, the best response is integration – specifically, integration of IT, OT and IIoT security concepts, as well as integration of IT and OT personnel into teams that can work together to develop more holistic strategies.
Integration along these lines is not likely to be easy, not least because it has rarely been done before. Hannes Barth, general manager for Siemens’ Ruggedcom, was quoted in the report as saying: “Most organizations struggle to imagine what a holistic approach to cybersecurity looks like.”
If infrastructure providers fail to take action, though, the culture gap between IT and OT employees has the potential to magnify the impact of disruptive events. As the report points out, the U.S. Department of Health and Human Services (HHS) confronted a cyberattack on March 15 that appears to have been designed to use disinformation as a means of undermining public-sector responses to the coronavirus outbreak. Needless to say, this would have imposed an even greater burden on those tasked with confronting the pandemic.