New research from Trend Micro, a global leader in cybersecurity, reveals that enterprise Security Operation Centres (SOCs) are increasingly expanding their operations into the operational technology (OT) domain, but that challenges around data visibility and retaining people with the right skills are causing problems.
Challenges in combining IT-OT security
The survey found that half of organisations now have an enterprise SOC with some level of ICS/OT visibility. But even when respondents have a more comprehensive SOC, only half (53%) of OT environments provided data for detection purposes.
This shortcoming is also reflected in another finding. In terms of merging capabilities of their IT and OT environments, respondents consider cyber incident detection (63%) the most important, followed by the ability to inventory resources (57%) and identity and access management (57%). Being able to detect incidents in IT and OT environments is crucial for identifying causes and preventing future threats that could disrupt business operations. However, this requires both data from IT and OT environments. This is often not the case now.
Furthermore, endpoint detection and response (EDR) and internal network security monitoring (NSM) are important tools to help provide that root cause data, according to the study. EDR is currently applied to engineering and operator resources by less than a third (30%) of respondents. Furthermore, NSM is rarely (< 10%) deployed at a physical process and basic control level deep in OT environments.
Too few skilled people and too much legacy technology
Beyond the gaps in visibility, the survey reveals major people and process challenges in extending SecOps to IT and ICS/OT environments.
Four of the five biggest barriers identified by respondents are related to staffing:
- Training IT staff in OT security (54%)
- Breaking communication silos between relevant departments (39%)
- Attracting and retaining employees who understand cybersecurity (38%)
- Training OT employees in IT (38%)
- Insufficient understanding of risks of IT and OT domains (38%)
Legacy technology is also cited as a major challenge for increasing understanding of OT-SecOps. The top three challenges that prevent organisations from merging their IT and OT environments are the limitations of legacy devices and networks (45%), lack of OT knowledge among IT staff (40%) and IT technologies not designed for OT environments (37%).
Respondents expect to redouble their efforts in the future to merge IT-OT SecOps and gain more insight into OT threats. Two-thirds (67%) plan to expand their SOC. Of those who have already implemented EDR, 76% plan to expand these implementations in ICS/OT in the next 24 months. In addition, 70% of those who have already added NSM capabilities plan to expand these implementations in the same time frame.
Download the full study "Breaking IT/OT Silos With ICS/OT Visibility" here.
Methodology
Trend Micro commissioned the SANS Institute to interview 350 members of the SANS community working as ICS/OT professionals within critical infrastructure sectors in the US, Europe and Asia.