Cultural divide between IT and OT teams prevents 65% of organizations from having a unified cybersecurity strategy, according to Ponemon survey sponsored by Dragos

State of Industrial Cybersecurity report reveals that only 21% of organizations have reached full maturity for ICS / OT cybersecurity and regularly update C-suite and board on state of OT cybersecurity

HANOVER, Maryland, November 10, 2021– (BUSINESS WIRE) – Dragos, Inc., the global leader in cybersecurity for industrial control systems (ICS) / operational technology (OT) environments, today released “The State of Industrial Cybersecurity in 2021: Risks Created by Cultural Divide Between IT & OT Teams “Ponemon Institute report. The new annual report found that only 21% of organizations have reached full maturity on their ICS / OT cybersecurity program, in which emerging threats lead to priority actions and C-level executives and the board of directors are regularly updated on the state of their OT security.

As the frequency and severity of attacks increase, organizations are struggling to stay ahead of these threats, according to survey of 603 IT, IT and security professionals OT at the level of management, directors and executives. The report found that 63% of organizations had an ICS / OT cybersecurity incident in the past two years, and that it took an average of 316 days to detect, investigate and resolve the incident. The digital transformation and industrial Internet of Things (IIoT) trends have significantly extended cyber risk to the OT and ICS environment according to 61% of respondents who agree or strongly agree.

The study reveals a cultural divide between IT and OT teams that affects the ability to secure both the IT and ICS / OT environment. Only 43% of organizations have cybersecurity policies and procedures aligned with their ICS and OT security goals. Thirty-nine percent have IT and OT teams working together cohesively to achieve a mature security posture in both environments. Only 35% of them have a unified security strategy that secures both IT and OT environments, despite the need for different controls and priorities.

“Most organizations don’t have the IT / OT governance framework needed to drive a unified security strategy, and it starts with the lack of OT-specific cybersecurity expertise in the organization,” said Steve Applegate. , Director of Information Security, Dragos, Inc. The cultural divide between IT and OT teams is a significant challenge. But organizations shouldn’t fall into the trap of thinking that OT can simply be added to an existing computer program or managed under a general computing umbrella. There are fundamental differences between the issues and goals of an enterprise IT environment (data safety and security) and industrial environments, where human health and safety, loss of physical production, and plant shutdowns are real risks. really safeguard industrial systems.

“The majority of senior executives and boards are not informed about the efficiency, effectiveness and security of their ICS / OT cybersecurity programs,” said Dr. Larry Ponemon, President and Founder of the Ponemon Institute. “If the board isn’t fully aware of the impact a cybersecurity incident would have on bottom lines, it is much more difficult to secure the right amount of budget for OT programs. As evidenced by the report, this stems from a lack of clear ownership for the ICS / OT risk and pointing it out to the board between engineering, IT and CISOs. “

Cultural differences, technical barriers and lack of clear ownership are the main challenges for OT and IT collaboration

The report’s findings suggest that misunderstanding between groups, rather than conflict, is the major problem. Only 32% cite competition between IT and OT for budgets and new security projects and only 27% have difficulty in converging security teams between IT and OT as a security program. enterprise-wide security.

  • Half of those polled say cultural differences between engineers, security professionals and IT staff are the biggest challenge.

  • 44% say there are problematic technical differences between traditional IT-specific best practices and what is possible in OT environments, such as patch management and the unique requirements of industrial automation equipment vendors .

  • 43% of respondents say there is a lack of clear ‘ownership’ over industrial cyber risk and uncertainty as to who leads the initiative, implements controls and supports the program.

The risks created by the cultural divide between IT and OT teams

  • The level of cybersecurity maturity of ICS / OT is insufficient to meet today’s challenges. Only 21% of respondents report that their ICS / OT program activities have reached full maturity, where emerging threats lead to priority actions and C-level executives and the board are regularly updated on the status of their program. Half of the organizations are in the early and middle stages, while the remaining 29% are in the late middle stage.

  • Senior management and the board are not regularly briefed on the efficiency, effectiveness and safety of the program. Only 35% of respondents say that an ICS and OT cybersecurity manager reports IT and cybersecurity initiatives to the board. Of these respondents, 41% say that such a report only occurs when a security incident occurs.

  • Many senior executives are unaware of the risks and threats to OT and ICS environments, resulting in inadequate allocation of resources to manage risk. Less than half (48%) of respondents say their organization understands unique cyber risks and has specific security policies and processes for OT and ICS environments. Only 43% of respondents say senior management understands cyber risks and provides enough resources to defend OT and ICS environments.

  • Reporting relationships and responsibility for the security of the TO are not properly structured and deter investment in the TO and ICS. Fifty-six percent of respondents say the reason for blocking investments is because OT security is handled by the engineering department which does not have security expertise, and 53% of respondents say security OT is managed by an IT department with no engineering expertise. Only 12% of respondents say the RSSI is most responsible for the security of the ICS / OT program.

Consequences of an OT cybersecurity incident

Loss of confidence in the system was the number one consequence of a cybersecurity incident, reported by 54%, followed by persistent process inefficiency (49%) and loss of control availability (47%). Additional consequences include:

  • Loss of visibility in the physical process; 41%

  • Loss of income; 40%

  • Loss of public confidence; 32%

  • Unintentional and catastrophic process failures; 30%

Despite the challenges, organizations are focusing on investments to improve the cybersecurity posture of ICS and OT environments. Investments in areas that assess weaknesses in the security posture of OT environments are the top priority according to 60% of respondents. Contributing to the security posture involves gathering intelligence on threats specific to their industry, ICS and OT devices, and geography (56%) and hiring OT and ICS cybersecurity experts (49%).

Methodology of the Ponemon study

The Ponemon Institute surveyed 603 IT, IT, and OT security practitioners at C, managerial, and director levels in the United States. All are familiar with cybersecurity initiatives and ICS and OT security practices in their organizations.

The full report of the Ponemon Institute, “State of industrial cybersecurity in 2021: the risks created by the cultural divide between IT and OT teams, is available for download on Dragos here.

About Dragos, Inc.

Dragos has a global mission: to protect civilization from those who attempt to disrupt the industrial infrastructure on which we depend every day. The practitioners who founded Dragos have been drawn to this mission through decades of experience in the public and private sector.

Dragos encodes the knowledge of our cybersecurity experts into an integrated software platform that provides customers with critical visibility into ICS and OT networks so that threats are identified and can be addressed before they become significant events. Our solutions protect organizations across a wide range of industries including power and water utilities, energy and manufacturing, and are optimized for emerging applications such as the Industrial Internet of Things (IIOT) .

Dragos is a privately held company headquartered in the Baltimore-Washington, DC area, with a regional presence around the world, including Canada, Australia, New Zealand, Europe and the Middle East.

View the source version on


Kesselring Communications for Dragos
Leslie Kesselring, 503-358-1012
[email protected]

About Perry Perrie

Check Also

$5 million from Boeing will support quantum science and technology research at UCLA

UCLA received $5 million pledge from Boeing Co. to support university faculty Center for Quantum …

Leave a Reply

Your email address will not be published.