Nov 10, 2021
93 Views
0 0

ICS security investments blocked by management confusion

Written by

As companies with OT/ICS outsource ICS capabilities and train in-house, they are also confronting ICS security oversight. 
Industrial systems superseded the CISO title, which is partially why the VP of engineering has an established “clear line of succession to the CEO,” in most industrial organizations, said Jason Christopher, principal cyber risk advisor at Dragos. 
However, if a company does have an industrial CISO, they need to have a direct relationship with the VP of engineering. “Unlike traditional IT systems, when an industrial cybersecurity incident occurs, engineers must be involved in the restoration and recovery of the system,” he said. 
Engineers sometimes work around security controls when they change programs or plug in different equipment. But ICS security is unique because it requires input from multiple stakeholders — engineering, operations, IT and physical security, said Christopher. 
It’s rare for companies to benefit from personnel who are equally trained in engineering and cybersecurity, and “it will be hard for many industrial organizations to hire for the skills shortage we see in this survey,” Christopher said. Four in 10 respondents are investing in OT/ICS skills, the survey found. 
Boards will want to know how effective OT/ICS security programs are, however, messaging isn’t presented until after something goes wrong. Just over one-third (35%) of respondents said the individual responsible for OT/ICS cybersecurity reports to the board of directors, the report found. But within that 35%, two in five respondents adopt the reporting structure only after an incident. In the last two years, 63% of respondents have experienced a cybersecurity incident. 
A growing number of executives and boards “recognize that managing cyber risk is part of their fiduciary duties — and you cannot manage what you do not understand,” he said. The 35% indicates companies are struggling with governance in ICS security, and have insufficient understanding of risks to OT. 
While industrial systems are beginning to enjoy the benefits of modernization, “security is not invited to the table during these conversations,” Christopher said. Adding security during transformational initiatives is “far more painful” than implementing it throughout the process, despite the increasing interconnectedness of devices
Half of the survey respondents showed optimism for the future of their OT/ICS cybersecurity, though only one-fifth said their programs have reached full maturity. Researchers consider security programs mature when OT/ICS program activities are fully deployed,emerging threats shape priorities and the C-suite/board are aware of the program’s efficiency. 
But until OT-specific cyber risks are better understood universally and IT and OT can overcome cultural differences, companies might stall additional adequate resourcing. 
Follow on Twitter
The pandemic created more business opportunity, but malicious actors dogged the company's technology stack. Now, the very same products touted as security defense tools are under fire. 
As more states legalize recreational use, employers in the public and private sector may need to change how they hire for cybersecurity.
Subscribe to Cybersecurity Dive for top news, trends & analysis
The pandemic created more business opportunity, but malicious actors dogged the company's technology stack. Now, the very same products touted as security defense tools are under fire. 
As more states legalize recreational use, employers in the public and private sector may need to change how they hire for cybersecurity.
Get the free daily newsletter read by industry experts
The free newsletter covering the top industry headlines

source

Article Categories:
Cybersecurity News

Comments are closed.