skip to content
Decrypt LOL

Get Cyber-Smart in Just 5 Minutes a Week

Decrypt delivers quick and insightful updates on cybersecurity. No spam, no data sharing—just the info you need to stay secure.

Read the latest edition
Cultural Gap Identified in IT and OT Cybersecurity Practices

Cultural Gap Identified in IT and OT Cybersecurity Practices

/ 5 min read

stories , cybersecurity , critical infrastructure , operational technology , it/ot integration , control systems

Quick take - A recent analysis has revealed a significant cultural divide between IT and OT cybersecurity organizations in critical infrastructure, highlighting the need for improved collaboration and understanding to address the unique challenges posed by operational technology systems.

Fast Facts

  • A cultural gap exists between IT and OT cybersecurity organizations, leading to imbalances in understanding and collaboration, as highlighted in the October 2024 McCray Institute report.
  • The current model, where the CISO oversees both IT and OT cybersecurity, may not effectively address the unique challenges of OT systems, which are crucial for physical safety and operational continuity.
  • The ISA TR84.00.09 report suggests an alternative approach to enhance control system cybersecurity and process safety, emphasizing the need for collaboration between engineers and cybersecurity professionals.
  • Incidents like refinery explosions and pipeline ruptures underscore the importance of securing OT systems, as they pose significant business risks and share vulnerabilities with cyber threats.
  • A proposal was made to integrate cybersecurity competence with process safety competence in the ISA84 standard, highlighting the need for engineers to be actively involved in cybersecurity risk management.

Cultural Gap in Cybersecurity Practices for Critical Infrastructure

A recent analysis of cybersecurity practices in critical infrastructure has highlighted a significant cultural gap between IT and OT cybersecurity organizations. The current approach often places the Chief Information Security Officer (CISO) at the helm of both IT and OT cybersecurity, which has led to an imbalance in understanding and collaboration between network security teams and engineering/operations teams where OT resides.

Challenges in Current Cybersecurity Models

This issue is prevalent across the cybersecurity community, as noted in the October 2024 McCray Institute report titled “Securing America’s Digital Future: A Bipartisan Cybersecurity Roadmap for the Next Administration, Recommendations from a Task Force of leading Cybersecurity Experts.” The report suggests that the existing model may not adequately address the unique challenges posed by OT systems, which are critical for maintaining physical safety and operational continuity.

ISA TR84.00.09, “Cybersecurity Related to the Safety Lifecycle,” proposes an alternative approach that could enhance control system cybersecurity and process safety while addressing the cultural divide. CISOs are encouraged to gain a comprehensive understanding of cybersecurity, recognizing that OT cybersecurity issues can have more severe consequences than IT-related incidents, such as billing system compromises.

The importance of securing OT systems is underscored by the potential for physical damage and disruption of essential services, such as refinery explosions, pipeline ruptures, and water contamination. These incidents, while not always identified as cyber-related, pose significant business risks and share vulnerabilities with cyber threats.

The Need for Collaboration

A lack of integration between engineers, plant floor operations personnel, and IT/OT cybersecurity professionals is a contributing factor to the current challenges. This disconnect is often due to a lack of understanding of the overlapping roles and responsibilities in cybersecurity. In a blog post titled “OT/control system cybersecurity has changed and not for the better,” it was noted that in 2001, control system cybersecurity was primarily an engineering issue supported by IT. Today, however, critical infrastructure cybersecurity is often viewed as a network security issue, with minimal engineering involvement.

Feedback from a CISO at a major U.S. water utility highlighted the complexity of cyber defense, emphasizing the need for collaboration between engineers and cybersecurity professionals. The CISO argued that cybersecurity is a holistic discipline that requires a comprehensive approach, including physical security measures and access controls. The CISO also noted that while engineers play a crucial role, it is the collaboration between engineers and cybersecurity professionals that will ultimately enhance system protection.

In response, it was acknowledged that engineers are not typically on the front lines of cyber defense, and there is a need for their expertise in understanding and protecting processes like water treatment and delivery. The CISO further emphasized that cybersecurity involves more than just tools and forensics; it is a methodical approach to safeguarding critical assets and data.

Bridging the Knowledge Gap

The CISO expressed confidence in the ability of the cybersecurity community to improve through partnerships with organizations like AWWA, CISA, and the FBI. The response highlighted the need for engineering expertise in implementing compensating controls for control system field devices that lack cybersecurity capabilities. The gap in understanding control systems by CISOs is not unique to one utility or sector.

In a review of another large water utility’s cybersecurity program, it was found that process sensors and actuators were not considered part of the cybersecurity scope. This oversight was attributed to the CISOs’ lack of OT/control system experience. The need for engineers to be actively involved in cybersecurity risk management was also emphasized.

An article by John Rezabek in the September 2024 issue of Control magazine discussed the challenges faced by engineers in adapting to digital control systems. Rezabek noted that engineers who were once involved in factory acceptance tests and commissioning are now often replaced by network specialists and domain administrators. These roles, while valuable, may lack the process-specific knowledge required for effective control system management.

The article suggested that all personnel involved in control systems, including those focused on cybersecurity, should be trained in the full range of options and potential issues. The Competence Annex in IEC 61511, “Functional safety - Safety instrumented systems (SIS) for the process industry sector,” provides guidance on competence management systems. Many SIS-related incidents identify human error as a contributing factor, highlighting the need for competence requirements to be met before individuals are assigned to SIS lifecycle activities. However, cybersecurity is not explicitly mentioned in these requirements.

On October 28, 2024, a proposal was made to integrate cybersecurity competence with process safety competence in the ISA84 standard.

Original Source: Read the Full Article Here

Check out what's latest

New File Transfer Protocol Developed for Enhanced Security and Performance
New File Transfer Protocol Developed for Enhanced Security and Performance
Study Introduces Benchmark for Evaluating Cryptographic Protocols
Study Introduces Benchmark for Evaluating Cryptographic Protocols
Study Reveals Vulnerabilities of LLMs to Bit-Flip Attacks
Study Reveals Vulnerabilities of LLMs to Bit-Flip Attacks