editor’s question
A?
ANDREA
CARCANO
– NOZOMI
NETWORKS CO-
FOUNDER
s IT and OT and
even IoT worlds
converge, anyone
who is sceptical
of the need for
secure cyber and
physical systems
should consider the results of a critical
infrastructure executive survey that
Nozomi Networks recently conducted
with Newsweek Vantage. Almost all of
the 415 executives surveyed say their
organisation has suffered at least one
security incident in the past 12 months
and half have experienced two or more.
Nearly a quarter say the time between
compromise and discovery exceeded
24 hours.
Just as worrying, employees are
regarded as the biggest human source
of vulnerability – bigger even than cybercriminal
groups. Former employees are
also a security risk. These statistics
contradict the common belief that
terrorists and state actors are the
biggest risk.
More than half of the breaches reported
are cyber incursions into IT systems,
but physical incursions into IT and OT
systems are very common too, and
this is why it’s important to approach
security from both a cyber and a
physical perspective.
Our survey found the more integrated
IT, OT, IoT and physical systems are,
the greater the degree of security, but
because they are so integrated, these
systems are more vulnerable to attack.
Executives have to balance the need for
efficiency with the imperative for security.
Furthermore, too many organisations are
under the impression that their approach
to IT, OT and physical system security
is adequate, until they find that it isn’t.
More than a third of executives say that
an actual cyberbreach caused them
to develop a holistic approach to their
organisation’s cyber/physical security.
In response to cyber-physical threats,
two thirds have integrated some of
their IT, OT and physical systems,
and the process is continuing. A fifth
have integrated all their systems.
But here’s the thing, executives see
the main advantages of integration
as more responsiveness and better
decision-making. The fewest number
say integration was motivated by the
need for stronger security. Overall,
there seem to be three major obstacles
The main
organisational
obstacle is cultural
– a difference in
opinions from IT and
OT on what needs to
be secured.
to implementing a holistic approach to
securing IT, OT and physical systems:
cultural, technical and external forces.
The main organisational obstacle is
cultural – a difference in opinions
from IT and OT on what needs to be
secured. Technical obstacles to a
holistic approach include the differences
in IT and OT operation environments,
discrepancies in IT and OT skill
requirements and the differences in the
security threats faced on both sides.
Finally, a significant external obstacle
to a holistic approach to securing IT
and OT systems is a lack of adherence
to standards. There are not enough
appropriate industry measurements to
help ensure the performance claims
of competing security products,
and what’s more, there is a lack of
established IT standards compounded
by a shortcoming of awareness when it
comes to OT standards.
Admittedly, without a crisis, it’s often
hard to change. It can be difficult to
alter habits of thought and traditional
business practices. But it doesn’t
have to take a catastrophe to spur
organisations to change. Critical
infrastructure organisations in particular
are facing mounting risks to their IT, OT
and physical systems. Now is the time to
push for change, to put them in the best
position to deal with a security incident
before it occurs. u
30 Issue 26 | www.intelligentciso.com