Who is ultimately responsible for protecting Industrial Internet of Things (IIoT) and operational technology (OT) equipment as businesses rush toward digital transformation? All CxOs should be asking their internal teams who are responsible for IT and OT security the same question. We did.
In a survey that Forescout recently commissioned and was conducted by Forrester Consulting1, the results unveiled some of the major challenges Line-of-business (LoB) leaders and IT teams face, and why they are feeling anxious about securing critical Internet of Things (IoT) and OT devices. In the second of my two-part discussion, let’s explore one major concern among OT and traditional security operations—which is that IT and LoB teams have a history of not seeing eye-to-eye on IoT and OT security due to varying priorities.
IT and LoB leaders don’t agree who should be primarily responsible for managing connected devices
The survey also supports a clear disconnect between IT and LoB leaders, highlighting potential ownership issues around securing process-specific IoT/OT devices. For instance, when asked who is primarily responsible for securing devices on an enterprise network, LoB respondents report that dedicated LoB IT staff or LoB practitioners take charge (65 percent), whereas IT respondents more commonly indicated that security operations center professionals are responsible (44 percent).
Traditionally, it has been a challenge to get these two independent groups to be cohesive as they may not collaborate or may not like other groups involved in their projects. Oftentimes, operations staff in industrial enterprise environments may not know what types of OT, IT or IoT equipment are connected to the network. Further complicating the situation is the fact that many maintenance processes are still performed manually or performed as part of a maintenance agreement through equipment vendors.
What’s more, when connected devices go unnoticed, how can LoB and IT professionals know when threat activities appear? Without full knowledge of connected assets, both teams are unable to make adequately informed decisions regarding what controls to implement or how to prioritize security and spending.
If IT and LoB don’t start working together, it could lead to more network vulnerabilities that allow hackers access to an organization’s connected devices. Once a hacker has access to one device, he/she can gain entire network access. The potential negative business outcomes a security issue can have on critical operations would be amplified throughout the organization.
Prioritizing Security Top-Down
From a board-of-directors perspective, you should have a holistic view into corporate IT and OT environments, bringing every device—and everyone—together. According to the survey, 38% of companies currently manage IoT solutions and devices through IT via an enterprise-wide security operations center. But it’s becoming critical for more collaboration among asset managers, LoB teams and network teams that are adopting and deploying these connected devices. These teams should agree upon who is primarily responsible for IIoT and OT security and establish consistent processes and policies to follow from the moment of installation.
Through a combination of top-down executive support and proper security tools and audits, teams can gain confidence in their IoT/OT network visibility. Once teams collaborate together and understand from both a technology and organizational-responsibility perspective what needs to be done to keep their network secure, everyone can sleep soundly at night—knowing their network is more secure and hackers may be kept at bay.
1 Fail To Plan, Plan To Fail, a commissioned study conducted by Forrester Consulting on behalf of Forescout, November 2017