In response to Joe Weiss's blog post (Observations from Advisen Cyber Risk Conference March 3rd in San Francisco): There are at least three key issues correlated to the symptoms of this problem:
- Lines of ownership and accountability are generally unclear when it comes to cyber vulnerabilities impacting the ICS infrastructure. The question really is: who is accountable for industrial infrastructure security, and do they have the authority and subject matter expertise to establish the necessary security controls for ICS? What is the governance model associated with the security model?
- The primary focus at the organizational level seems to be security for IT systems. The distinction between IT and OT is not well understood. Infrastructure owners have to recognize that compliance does not necessarily equal protection.
- Control system cybersecurity requires an interdisciplinary approach. Again, the question is: are businesses investing in their workforce to ensure knowledge sharing and skills enhancement between and across the multiple disciplines of security, IT, OT, cyber, process, etc?