We asked Andrea Carcano, Nozomi Networks Co-founder, what security risks are being introduced as IT and OT networks converge. Here is his response:
As IT and OT and even IoT worlds converge, anyone who is sceptical of the need for secure cyber and physical systems should consider the results of a critical infrastructure executive survey that Nozomi Networks recently conducted with Newsweek Vantage. Almost all of the 415 executives surveyed say their organisation has suffered at least one security incident in the past 12 months and half have experienced two or more. Nearly a quarter say the time between compromise and discovery exceeded 24 hours.
Just as worrying, employees are regarded as the biggest human source of vulnerability – bigger even than cyber-criminal groups. Former employees are also a security risk. These statistics contradict the common belief that terrorists and state actors are the biggest risk.
More than half of the breaches reported are cyber incursions into IT systems, but physical incursions into IT and OT systems are very common too, and this is why it’s important to approach security from both a cyber and a physical perspective.
Our survey found the more integrated IT, OT, IoT and physical systems are, the greater the degree of security, but because they are so integrated, these systems are more vulnerable to attack. Executives have to balance the need for efficiency with the imperative for security.
Furthermore, too many organisations are under the impression that their approach to IT, OT and physical system security is adequate, until they find that it isn’t. More than a third of executives say that an actual cyberbreach caused them to develop a holistic approach to their organisation’s cyber/physical security.
In response to cyber-physical threats, two thirds have integrated some of their IT, OT and physical systems, and the process is continuing. A fifth have integrated all their systems. But here’s the thing, executives see the main advantages of integration as more responsiveness and better decision-making. The fewest number say integration was motivated by the need for stronger security.
Overall, there seem to be three major obstacles to implementing a holistic approach to securing IT, OT and physical systems: cultural, technical and external forces. The main organisational obstacle is cultural – a difference in opinions from IT and OT on what needs to be secured.
Technical obstacles to a holistic approach include the differences in IT and OT operation environments, discrepancies in IT and OT skill requirements and the differences in the security threats faced on both sides.
Finally, a significant external obstacle to a holistic approach to securing IT and OT systems is a lack of adherence to standards. There are not enough appropriate industry measurements to help ensure the performance claims of competing security products, and what’s more, there is a lack of established IT standards compounded by a shortcoming of awareness when it comes to OT standards.
Admittedly, without a crisis, it’s often hard to change. It can be difficult to alter habits of thought and traditional business practices. But it doesn’t have to take a catastrophe to spur organisations to change. Critical infrastructure organisations in particular are facing mounting risks to their IT, OT and physical systems. Now is the time to push for change, to put them in the best position to deal with a security incident before it occurs.