An independent survey of 1,000 full-time IT security professionals was carried out in the United States, Australia, United Kingdom, Germany and France to determine the attitudes and concerns of IT security professionals related to OT security. The results found that Australians are more confident about the security of their critical infrastructure than other countries.
Australians are more confident that their country’s critical infrastructure is properly secured against cyber-attacks, with 90% saying that they are adequately protected.
The sector that Australia respondents believed were most vulnerable were electric power (45%) and oil and gas (26%).
Dave Weinstein, CSO of Claroty was interviewed on his analysis of the research.
Q: Did anything surprise you about the data in this report?
A: I was surprised by the degree to which respondents felt that critical infrastructure networks are adequately protected and safeguarded from threats. OT security is a new area of cybersecurity for most organisations and while critical infrastructure owners and operators have made great progress in the last few years with reducing their cyber risks, most are still at the very beginning of what will be a long journey to maturity. What struck me was that US IT people have less confidence in IT and OT security than in other parts of the world, sometimes by large margins. For example, Respondents from Australia (93%) are much more confident in the overall safety of industrial networks versus respondents from the U.K., U.S. and France.
Q: Could that mean that IT folks in the rest of the world are more naive about security? Or that the issues are truly less worrisome in other parts of the world? Why or why not?
A: I don’t attribute this discrepancy to naïveté. IT and OT security practitioners all over the globe are increasingly aware of the changing cyber risk landscape. It’s possible that because IT professionals in the US are under a constant barrage of attacks — arguably more so than elsewhere across the globe — they view the situation through a slightly bleaker lens than the rest of the world.
Q: Were you surprised that OT cyber attacks are seen as more dangerous than IT cyber attacks?
A: Not at all. One of the distinguishing characteristics of OT attacks compared to IT attacks is the implications for safety. OT is an environment where cyber meets physical and therefore cyber attacks against these systems can manifest themselves in hazardous and unsafe conditions for those on the plant floor and potentially beyond. Thankfully, there have only been a small number of dangerous attacks.
Q: What is the difference between managing an OT network's security vs. an IT network's security?
A: Perhaps the biggest difference is the infrastructure itself. Most IT infrastructure was designed with security in mind. Likewise, IT infrastructure is built for interconnectivity. The OT environment, by contrast, wasn’t originally designed to be secure and it certainly wasn’t designed to be interconnected. When managing an OT network’s security, IT professionals must recognise these fundamental differences and how they impact traditional security operations and policies. With OT networks, for example, you can’t simply implement patches every day. Similarly, you can’t discover devices or monitor traffic using traditional techniques or tools because most of the assets on an OT network communicate using proprietary, vendor-specific protocols that can’t be easily parsed and understood.
Q. Should they be viewed as one system for the sake of improved security?
A: Every single organisation must tailor its cybersecurity governance to its own culture, strategy, and requirements, but there are a lot of benefits associated with integrating IT and OT security operations, policy, budgeting, and training. Perhaps the greatest benefit is the opportunity to achieve efficiencies with respect to people and technology. As IT networks converge with OT networks, it’s increasingly important to glean full spectrum of visibility across both networks. Doing so also empowers defenders to track threat actors that are exploiting IT networks to access OT targets and vice versa.
Q: Are IT and OT networks typically viewed and monitored separately?
A: Most organisations that are ramping-up their OT security posture are taking steps in parallel to integrate these new capabilities with existing IT security capabilities. The most common use case is an enterprise Security Operations Center (SOC) that includes OT networks in its purview. As Chief Information Security Officers (CISO) are tasked with more and more responsibility in this domain, the transition can be accelerated.
Q: What are your top 3 recommendations for closing the IT-OT security gap, your top take-aways for readers?
A: First, you must gain deep visibility into precisely what is on your OT network and how those assets are behaving. This critical first step includes understanding not just what is on the network, but also the communications happening between and among these assets. Second, put in place mechanisms to bridge the cultural and communication divide between IT security professionals and OT and automation engineers. This collaboration will be critical down the line. And finally, build a roadmap that culminates in harmonising the continuous security monitoring of the IT network with that of the OT network. This evolution won't happen overnight, but it is a critical milestone for ultimately closing the IT-OT security gap.