Cultural divide between IT and OT teams affect organizational ability to protect the cybersecurity sector

Dragos released on Wednesday its annual report on the state of the industrial cybersecurity sector that identifies the cultural differences, technical barriers, and lack of clear ownership as the primary challenges for OT (operational technology) and IT collaboration. The results highlight the existence of cultural and technical differences in the cybersecurity sector between traditional IT-specific best practices and what is possible within an OT environment, such as patch management and unique requirements of industrial automation equipment vendors that cause conflicts between these two functions.

In the annual report titled, ‘The 2021 State of Industrial Cybersecurity: The Risks Created by the Cultural Divide between the IT & OT Teams,’ sponsored by Dragos and independently conducted by Ponemon Institute, data relating to average time and cost to detect, investigate and remediate a cybersecurity incident in the ICS (industrial control systems) and OT environment has been calculated.

The Ponemon Institute surveyed 603 IT, IT security, and OT (operational technology) security practitioners at the C-level, managerial, and director levels in the United States. All are familiar with cybersecurity initiatives and ICS and OT security practices in their organizations.

There are a number of headwinds facing IT and OT cultural reconciliation, spanning all levels of the organization chart, Steve Applegate, chief information security officer at Dragos told Industrial Cyber. “IT security practitioners often lack credibility to sell implementation of security controls, since they may lack a solid understanding of engineering principles in general, and more specifically the germane industrial processes. Engineers may try to force cybersecurity elements into operating models that have worked with industrial equipment for decades, but are not adequate to account for the dynamic nature of cybersecurity,” he added.

This approach then yields incoherent results, disconnected from enterprise security strategic objectives. And top leadership seems to often be at a stalemate, with engineering executives at odds with CISOs regarding priorities, Applegate added.

Dragos data said that the average cost of a security incident in the cybersecurity sector of the ICS/OT environment is $2,989,550, with an average of 316 days spent to detect, investigate and remediate the cybersecurity incident. Based on the use of a threat hunting and incident response team that averages six IT and IT security personnel, it costs an average of $963,168 to detect, investigate and remediate the incident. The fixed costs including the replacement of equipment, downtime, legal and regulatory fines total $2,026,382, thereby equaling the average total cost of $2,989,550, the report disclosed.

Based on the responses, the study reveals a cultural divide between IT and OT teams in the cybersecurity sector that affects the ability to secure both the IT and the ICS/OT environment. Only 43 percent of organizations have cybersecurity policies and procedures that are aligned with their ICS and OT security objectives. Barely a third, about 39 percent, have IT and OT teams that work together cohesively to achieve a mature security posture across both environments, according to the report, with 35 percent reporting a unified security strategy that secures both the IT and OT environments, despite the need for different controls and priorities.

The findings of the report on the cybersecurity sector suggest misunderstanding between the groups, rather than conflict, is a significant issue. Only 32 percent cite competition between IT and OT for budget dollars and new security projects and only 27 percent have difficulty in converging security teams across IT and OT as an enterprise-wide security program. Half of the respondents state that cultural differences between engineers, security professionals, and IT staff are the main challenge, the Dragos report added.

Forty-four percent say there are problematic technical differences between traditional IT-specific best practices and what is possible in OT environments, such as patch management and unique requirements of industrial automation equipment vendors, the report said. Forty-three percent of respondents say there is a lack of clear ‘ownership’ on industrial cyber risk and uncertainty around who leads the initiative, implements the controls, and supports the program.

Fifty percent of respondents are optimistic about the future of their ICS/OT cybersecurity programs. However, only 21 percent of respondents say their ICS/OT program activities have achieved full maturity and emerging threats drive priority actions. A fully mature program also means C-level executives and the board of directors are regularly informed about the efficiency, effectiveness, and security of the program, the Dragos report said. Twenty-nine percent of respondents say their organizations are in the late-middle stage which means C-level support, adequate budget, risk assessment, and a cross-functional team of IT and OT SMEs work together cohesively.

The findings of the report revealed that half of the respondents say their ICS and OT program activities are mature, or in the late middle stage. In the context of this research, 50 percent of respondents say their organizations are stalled in the early (17 percent) or middle stage (33 percent), which means ICS and OT program activities have not been planned or deployed or only partially deployed.

Only 21 percent of respondents say program activities are fully deployed and senior leadership is regularly informed about the efficiency, effectiveness, and security of the program, the report said. Twenty-nine percent of respondents say their organizations are in the late-middle stage which means C-level support, adequate budget, risk assessment, and a cross-functional team of IT and OT SMEs work together cohesively.

Most cybersecurity maturity programs identify targets that take several years to reach. And with the evolving threat landscape, asset owners also face moving maturity targets, according to Applegate. “Another concern is the possibility of a false sense of security that may be prevalent for people with programs they perceive as mature, yet where the cultural divide has prevented decision-makers from receiving and understanding relevant risk metrics,” he said.

The Dragos report said that as the frequency and severity of attacks increase, organizations are struggling to keep ahead of these threats. Sixty-three percent of respondents say their organizations had a cybersecurity incident in the past two years.

It is difficult to imagine a scenario where one can truly get ahead of the adversary, since incident management is reactive by nature, according to Applegate. But when organizations prioritize proven risk management practices and turn them into muscle memory, they gain strong situational awareness, attack surfaces are reduced, and the impact of incidents is contained. People should emphasize getting good at the basics, like inventorying and managing assets, assessing and remediating vulnerabilities, and creating mature incident management capabilities that are informed by threat intelligence, he added.

The majority of respondents say senior management lacks an understanding of the cyber risks in the ICS/OT environments, the Dragos report said. As a result, not enough resources are allocated to defend the ICS/OT environments. Paradoxically, according to 56 percent of respondents, the primary blocker for investing in OT cybersecurity is that OT cybersecurity is managed by the engineering department, which does not have security expertise followed by 53 percent of respondents who say OT security is managed by an IT department without engineering expertise, it added.

Close to 40 percent of respondents to the Dragos-Ponemon Institute survey said the security safeguards in place to protect the ICS and OT environments are covered during board meetings, and only 36 percent of respondents say the effectiveness and efficiency of security programs and measures are presented. Only 46 percent of respondents say their organizations are effective in gathering intelligence about threats to the ICS/OT environment and 45 percent of respondents say their organizations are effective in discovering and maintaining an inventory of all devices attached anywhere on the OT network throughout the asset lifecycle.

The Dragos report comes in the wake of the company’s raising $200 million in Series D funding at a valuation of $1.7 billion, reflecting increasing demand for OT cybersecurity techniques and solutions. The investment comes as industrial cyberattacks continue to rise highlighting the fact that OT cyber security is different and needs a different approach.

It comes as a new focus on protecting physical environments is fueled by a combination of cybersecurity incidents breaching networks at SolarWinds, Oldsmar water plant hack, Colonial Pipeline, and JBS breaches at the center, and several U.S. government initiatives focused on improving the cybersecurity of our critical infrastructure, including the White House National Security Memorandum, the Department of Energy’s 100-day electric plan, CISA’s cybersecurity performance goals and objectives for critical infrastructure control systems, and TSA’s 100-day pipeline plan.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.