Dragos, Inc. (Dragos), today released “The 2021 State of Industrial Cybersecurity: The Risks Created by the Cultural Divide Between the IT & OT Teams” report from the Ponemon Institute. The Ponemon Institute surveyed 603 IT, IT security and OT security practitioners at the C-level, managerial and director level in the United States. The report found that cultural clashes block unified strategies across ICS/OT cybersecurity
Unaligned and under attack
The report found only 21% of organisations have achieved full maturity of their ICS/OT cybersecurity program, in which emerging threats drive priority actions and C-level executives and the board are regularly informed about the state of their OT security.
63% of organisations suffered an ICS/OT cybersecurity incident in the past two years, which took an average of 316 days to detect, investigate and remediate. 61% of respondents agreed that the Internet of Things had greatly expanded risks.
Only 43% of organisations have cybersecurity policies and procedures that are aligned with their ICS and OT security objectives. Just 35% have a unified security strategy that secures both the IT and OT environments, despite the need for different controls and priorities.
Barriers to collaboration
The report suggests that cultural clashes block unified strategies across ICS/OT cybersecurity, rather than the issue being down to conflict between the teams. Only 32% cited competition between IT and OT for budget dollars and new security projects and only 27% have difficulty in converging security teams across IT and OT as an enterprise-wide security program.
Half of respondents stated that cultural differences between engineers, security professionals, and IT staff are the main challenge. 44% said there were problematic technical differences between traditional IT-specific best practices and what is possible in OT environments. 43% said there was a lack of clear “ownership” on industrial cyber risk.
The results
The report highlighted a series of risks as a result of this failure to collaborate, including immature ICS/OT cybersecurity, uninformed C-level executives and board members, inadequate resource allocation due to senior management’s lack of awareness regarding risks and badly structured reporting and accountability leading a lack of OT and ICS investment.
