The 'Air Gap' Between IT & OT is Disappearing, & We're Not Ready to Manage the Risk

At Infosecurity Europe, CISOs and cybersecurity experts come together to discuss current threats, challenges and complexities, and forge a way forward. This year one of the key topics addressed in our conference programme is the increasing convergence of the physical and cyber-domains.

Operational devices, systems and infrastructure are being connected to corporate and cloud environments, meaning the safe ‘air gap’ between IT and OT (operational technology) no longer exists. This creates risk: according to Ciaran Martin, head of the UK's National Cyber Security Centre (NCSC), a major category one (C1) attack on our critical infrastructure – one that disrupts essential services, or affects national security – is a matter of “when, not if”.

Over half of the respondents to our latest social media poll agree, with 59% believing that an attack on our critical national infrastructure is likely this year.

Mike Koss, Head of Information Security and Risk at N Brown Group, points out that physical and cyber risk are intrinsically linked. “Over the last two decades I’ve conducted security assessments on organizations, and there have been real world cases of physical damage caused by electronic means,” he says. “Perhaps this problem is perceived to be greater because new business models are coming into play, and the focus is on being first to market, not security.

“Physical security – be it of a company’s site, device, network port or garbage – is always going to be linked with cybersecurity. Highly motivated attackers will try everything to gain access or cause damage to complex machinery.”

The results of our poll also indicate that organizations are not fully prepared to manage security effectively across both cyber and physical environments.

More than two thirds (68%) of respondents said the security teams in charge of their physical and cyber infrastructures never collaborate. This disconnect leads to misaligned plans and conflicting priorities. It’s vital that teams work together to understand blended cyber-physical attacks, and develop joint approaches, plans and policies.

Shawn Scott, Thames Water’s Head of Information Security, suggests a number of approaches to managing security in a more cohesive way. “Organizations can use modern risk management techniques to allow cyber and physical security risks to sit together in a dependency matrix that aligns to overall business risk,” he says. “Security officers should have a shared threat and intelligence pipeline and incident response process, and underpin this with strong data analytics. Companies should also help and empower senior security executives to be responsible and accountable for the security of all assets, physical and digital."

Worryingly, only 16% of respondents to the Infosecurity Europe poll were aware of the EU’s NIS Directive. This legislation, put in place in 2016, sets out network security requirements that apply to all operators of essential services and digital service providers (DSPs). Failure to comply could present attackers with ‘open doors’ through which they can access infrastructure and physical assets.

As Shawn Scott says: “In the physical world, risks to human life can be an upstream consequence of many types of attacks in the digital world.” This is why we put topics like this centre stage on our agenda at Infosecurity Europe. Cyber risk is impacting the physical realm, and organizations must have effective management strategies in place.

The theme of Infosecurity Europe 2019 is Cybersecurity 4.0: Complexity, Risk and Resilience. As organizations become more complex, increased connectivity, machine learning and rising cyber threats to infrastructure pose new risks. Our conference programme will provide the knowledge the infosec community needs to understand the latest threats and challenges, manage and mitigate the risks, and build resilience.

The Infosecurity Europe Twitter poll, which attracted 12,100 responses across three questions, was conducted during the week of 4 February. The press release announcing the results can be read here

The topic of Cyber Physical/IoT will be covered throughout the free-to-attend conference at Infosecurity Europe in London from 4-6 June. See all the talks on Cyber Physical/IoT here. Infosecurity Europe is the leading European event for information and cyber security; find out more and secure your free visitor badge.

What’s Hot on Infosecurity Magazine?