A cultural divide between IT and operational technology (OT) teams prevents organizations from having a unified strategy for securing both environments.
Only 21% of organizations have reached full maturity on their ICS / OT cybersecurity program, where emerging threats drive priority actions, and executive-level executives and the board are regularly briefed on the status of their OT security.
This is despite 63% of organizations having had an ICS / OT cybersecurity incident in the past two years and it took an average of 316 days to detect, investigate and remediate the incident. According to 61% of respondents, digital transformation and trends in the industrial Internet of Things (IIoT) have also greatly expanded cyber risk in the OT and ICS environment.
Only 43% of organizations have cybersecurity policies and procedures aligned with their ICS and OT security goals. 39% have IT and OT teams working together cohesively to achieve a mature security position in both environments. 35% have a unified security strategy that protects both IT and OT environments, despite the need for different controls and priorities.
“Most organizations do not have the IT / OT governance structure required to drive a unified security strategy, and this starts with the organization’s lack of specific cybersecurity expertise,” said Steve Applegate, chief information security. officer of Dragos. “Bridging the cultural gap between IT and OT teams is a significant challenge. But organizations should not fall into the trap of thinking that OT can be simply attached to an existing IT program or managed under a general IT umbrella. There are differences. between the problems and objectives of a corporate IT environment – security and data protection – and industrial environments, where human health and safety, loss of physical production and plant shutdowns are real risks. and ICS / OT specific technologies are both necessary to truly safeguard industrial systems ”.
Looking at the reasons behind the lack of collaboration, 44% of respondents say that there are problematic technical differences between traditional IT-specific best practices and what is possible in OT environments, such as patch management and unique requirements of vendors. industrial automation equipment. 43% of respondents say they lack clear “ownership” over industrial cyber risk and uncertainty about who leads the initiative, implements controls and supports the program.
The full report is available from the Dragos website.