- Less than half of organizations (43%) align operational technology and industrial control system procedures with cybersecurity procedures, according to a Ponemon Institute survey of 603 U.S.-based IT, IT security and OT security practitioners at the C-level, managerial and director levels. The survey was sponsored by Dragos.
- Organizations lack OT/ICS security investments because of a mismatch in security or engineering experience. Fifty-six percent of respondents said investments are most often blocked because OT security is managed by engineers, who lack cybersecurity expertise. Likewise, 53% of respondents said investments are blocked because OT security is managed by IT, who lack engineering experience.
- CISOs oversee OT cybersecurity at one in 10 organizations. The VP of engineering is the top person accountable for OT security for 25% of respondents, followed by the director/manager of IT at 18%, and the CIO at 16%.
As companies with OT/ICS outsource ICS capabilities and train in-house, they are also confronting ICS security oversight.
Industrial systems superseded the CISO title, which is partially why the VP of engineering has an established "clear line of succession to the CEO," in most industrial organizations, said Jason Christopher, principal cyber risk advisor at Dragos.
However, if a company does have an industrial CISO, they need to have a direct relationship with the VP of engineering. "Unlike traditional IT systems, when an industrial cybersecurity incident occurs, engineers must be involved in the restoration and recovery of the system," he said.
Engineers sometimes work around security controls when they change programs or plug in different equipment. But ICS security is unique because it requires input from multiple stakeholders — engineering, operations, IT and physical security, said Christopher.
It's rare for companies to benefit from personnel who are equally trained in engineering and cybersecurity, and "it will be hard for many industrial organizations to hire for the skills shortage we see in this survey," Christopher said. Four in 10 respondents are investing in OT/ICS skills, the survey found.
Boards will want to know how effective OT/ICS security programs are, however, messaging isn't presented until after something goes wrong. Just over one-third (35%) of respondents said the individual responsible for OT/ICS cybersecurity reports to the board of directors, the report found. But within that 35%, two in five respondents adopt the reporting structure only after an incident. In the last two years, 63% of respondents have experienced a cybersecurity incident.
A growing number of executives and boards "recognize that managing cyber risk is part of their fiduciary duties — and you cannot manage what you do not understand," he said. The 35% indicates companies are struggling with governance in ICS security, and have insufficient understanding of risks to OT.
While industrial systems are beginning to enjoy the benefits of modernization, "security is not invited to the table during these conversations," Christopher said. Adding security during transformational initiatives is "far more painful" than implementing it throughout the process, despite the increasing interconnectedness of devices.
Half of the survey respondents showed optimism for the future of their OT/ICS cybersecurity, though only one-fifth said their programs have reached full maturity. Researchers consider security programs mature when OT/ICS program activities are fully deployed,emerging threats shape priorities and the C-suite/board are aware of the program's efficiency.
But until OT-specific cyber risks are better understood universally and IT and OT can overcome cultural differences, companies might stall additional adequate resourcing.