As companies with OT/ICS outsource ICS capabilities and train in-house, they are also confronting ICS security oversight. 
Industrial systems superseded the CISO title, which is partially why the VP of engineering has an established “clear line of succession to the CEO,” in most industrial organizations, said Jason Christopher, principal cyber risk advisor at Dragos. 
However, if a company does have an industrial CISO, they need to have a direct relationship with the VP of engineering. “Unlike traditional IT systems, when an industrial cybersecurity incident occurs, engineers must be involved in the restoration and recovery of the system,” he said. 
Engineers sometimes work around security controls when they change programs or plug in different equipment. But ICS security is unique because it requires input from multiple stakeholders — engineering, operations, IT and physical security, said Christopher. 
It’s rare for companies to benefit from personnel who are equally trained in engineering and cybersecurity, and “it will be hard for many industrial organizations to hire for the skills shortage we see in this survey,” Christopher said. Four in 10 respondents are investing in OT/ICS skills, the survey found. 
Boards will want to know how effective OT/ICS security programs are, however, messaging isn’t presented until after something goes wrong. Just over one-third (35%) of respondents said the individual responsible for OT/ICS cybersecurity reports to the board of directors, the report found. But within that 35%, two in five respondents adopt the reporting structure only after an incident. In the last two years, 63% of respondents have experienced a cybersecurity incident. 
A growing number of executives and boards “recognize that managing cyber risk is part of their fiduciary duties — and you cannot manage what you do not understand,” he said. The 35% indicates companies are struggling with governance in ICS security, and have insufficient understanding of risks to OT. 
While industrial systems are beginning to enjoy the benefits of modernization, “security is not invited to the table during these conversations,” Christopher said. Adding security during transformational initiatives is “far more painful” than implementing it throughout the process, despite the increasing interconnectedness of devices
Half of the survey respondents showed optimism for the future of their OT/ICS cybersecurity, though only one-fifth said their programs have reached full maturity. Researchers consider security programs mature when OT/ICS program activities are fully deployed,emerging threats shape priorities and the C-suite/board are aware of the program’s efficiency. 
But until OT-specific cyber risks are better understood universally and IT and OT can overcome cultural differences, companies might stall additional adequate resourcing. 
Follow on Twitter
As more states legalize recreational use, employers in the public and private sector may need to change how they hire for cybersecurity.
Insurers joined high-profile CEOs at the White House summit last week to discuss how to improve national cybersecurity. For one insurance CEO, the industry needs three points of improvement.
Subscribe to Cybersecurity Dive for top news, trends & analysis
As more states legalize recreational use, employers in the public and private sector may need to change how they hire for cybersecurity.
Insurers joined high-profile CEOs at the White House summit last week to discuss how to improve national cybersecurity. For one insurance CEO, the industry needs three points of improvement.
Get the free daily newsletter read by industry experts
The free newsletter covering the top industry headlines

source