How prepared is the industrial sector to fight and defend against cyber attacks? Wurldtech wanted to take a closer look, and so asked YouGov to conduct a survey of nearly 900 senior IT/security professionals from oil and gas, utilities, transportation, and healthcare organizations around the globe to find out more about their critical infrastructure security readiness.
What we learned had us nodding our heads, “Yes, makes sense, not surprising.” But also shaking them a bit, thinking, “Hold on a minute, this is curious, the plot thickens.”
The Age-Old Balancing Act: Efficiency vs. Security
Even before the days of big data, the Internet, or rudimentary computer coding, balancing operational efficiency with adequate security has been an issue. But now, with companies in the industrial sector beginning to embrace the Internet of Things (IoT) and moving toward greater connectivity to increase revenue, lower costs, and enhance automation, the balancing act just got that much more complicated.
For good or for bad, the scales have historically seemed to tip in efficiency’s favor. Performance trumped all and even a hint of security hindering productivity was not allowed—lest competition move in and the business falter. The flip side, of course, is that without adequate defenses, isn’t business at risk by default?
For many managers, IT security remains a no-contest top investment priority. That’s not a bad thing, but is it enough? What about OT-specific security? Is it going to take a hard knocks lesson on compromise before organizations can fully accept, too, the criticality of OT security readiness. Or will it be like Saul getting knocked off his Damascus-bound donkey—and will organizations need to be hit hard by a breach before they “see the light.”
A Case of Misunderstanding OT Security?
In order of importance, execs listed their top investment priorities as IT security, compliance, safety, adoption of new technologies, and operational technology (OT) security.
While it makes sense that organizations are looking to new technologies to gain efficiency, increase production, and reduce costs, it is a bitter pill to swallow that OT security—specific to running critical production assets and process controls—would rank last.
We think this may be a case of misunderstanding.
Since IT security ranks high on the investment priority list, we don’t think anyone is underestimating the new risks associated with an increasingly connected world. Rather, we might deduce that the disparity highlights organization’s possible misunderstanding of the unique requirements of OT (versus IT) security and how it requires a different type of expertise to manage.
While it’s possible to derive lessons from IT that can be applied to OT, it’s critical to differentiate the two and understand that protecting one is not the same as protecting the other. With specialized OT security, organizations can be much more protected—especially considering that while respondents are prioritizing IT security investments, they, as a whole, also lack confidence that those investments will adequately mitigate a cyber attack. In this sense, maybe they get that IT tools and techniques don’t work in OT environments.
To learn more about the survey and results, check out our infographic from Critical Infrastructure Security Readiness 2016 Report.