Q + A + Q + A + Q + A + Q + A + Q + A + Q + A + Q + A +
ANDREA CARCANO –
NOZOMI NETWORKS
CO-FOUNDER
EDITOR’S QUESTION
As IT and OT and even IoT worlds converge, anyone who is
sceptical of the need for secure cyber and physical systems
should consider the results of a critical infrastructure executive
survey that Nozomi Networks recently conducted with Newsweek
Vantage. Almost all of the 415 executives surveyed say their
organisation has suffered at least one security incident in the past 12
months and half have experienced two or more. Nearly a quarter say
the time between compromise and discovery exceeded 24 hours.
Just as worrying, employees are regarded as the biggest human source
of vulnerability – bigger even than cyber-criminal groups. Former
employees are also a security risk. These statistics contradict the
common belief that terrorists and state actors are the biggest risk.
More than half of the breaches reported are cyber incursions into
IT systems, but physical incursions into IT and OT systems are very
common too, and this is why it’s important to approach security from
both a cyber and a physical perspective.
Our survey found the more integrated IT, OT, IoT and physical
systems are, the greater the degree of security, but because they
are so integrated, these systems are more
vulnerable to attack. Executives have to
balance the need for efficiency with the
imperative for security.
Furthermore, too many organisations are
under the impression that their approach
to IT, OT and physical system security is
adequate, until they find that it isn’t. More
than a third of executives say that an actual
cyberbreach caused them to develop a
holistic approach to their organisation’s
cyber/physical security.
In response to cyber-physical threats, two
thirds have integrated some of their IT, OT
and physical systems, and the process is
continuing. A fifth have integrated all their
systems. But here’s the thing, executives see
the main advantages of integration as more
responsiveness and better decision-making.
“
THE MAIN
ORGANISATIONAL
OBSTACLE IS
CULTURAL – A
DIFFERENCE IN
OPINIONS FROM
IT AND OT ON
WHAT NEEDS TO
BE SECURED.
The fewest number say integration was motivated by the need for
stronger security.
Overall, there seem to be three major obstacles to implementing a
holistic approach to securing IT, OT and physical systems: cultural,
technical and external forces. The main organisational obstacle is
cultural – a difference in opinions from IT and OT on what needs to
be secured.
Technical obstacles to a holistic approach include the differences in
IT and OT operation environments, discrepancies in IT and OT skill
requirements and the differences in the security threats faced on
both sides.
Finally, a significant external obstacle to
a holistic approach to securing IT and OT
systems is a lack of adherence to standards.
There are not enough appropriate industry
measurements to help ensure the performance
claims of competing security products, and
what’s more, there is a lack of established IT
standards compounded by a shortcoming of
awareness when it comes to OT standards.
Admittedly, without a crisis, it’s often hard to
change. It can be difficult to alter habits of
thought and traditional business practices. But
it doesn’t have to take a catastrophe to spur
organisations to change. Critical infrastructure
organisations in particular are facing mounting
risks to their IT, OT and physical systems. Now
is the time to push for change, to put them
in the best position to deal with a security
incident before it occurs. •
www.intelligentcio.com
INTELLIGENTCIO
29