Where should accountability for OT security fall within an organisation?

In today’s connected world everything, from power grids and public transport to manufacturing and logistics, has had an upgrade to become ‘smart’ (self-monitoring analysis and reporting technology). The race to fully embrace the benefits delivered by this functionality has led to the convergence of both the data side of the business, traditionally the realm of IT, and the operational technology (OT) side, used to manage industrial control systems (ICS). This convergence has created the perfect cyber security storm, with who is responsible to secure both environments a topic of much debate.

Traditionally, OT environments had very limited and/or restricted connectivity — both internally with local networks, and externally to the internet, third party contractors, etc. Given this segregation, typically when the subject of security was discussed it was either dismissed, due to the perceived ‘air-gap’, or synonymous with safety — with the key objective to ensure that no individual is put in physical harm’s way. Conversely, security within IT was focused on ensuring systems and data were protected to prevent data theft or downtime.