Getting networking and technical organizations to work together is critical, and one would think should be easy. Unfortunately “doughnut diplomacy” hasn’t worked and the gap between Engineering and IT/OT continues to exist and may even be growing.
It is the physics issues, such as Aurora, that cause long-term damage and require engineering expertise. Consequently, there is a need to have both network cyber security and engineering expertise to properly address ICS cyber security, particularly from physics issues which are existential issues.
Moody’s Investor Services believes all utilities are prized targets for cyber attackers and sophisticated nation state actors may seek to exploit potential cybersecurity vulnerabilities. I think it is reasonable to assume that Moody’s is not comfortable that utilities are cyber secure regardless of the reassurances from industry organizations.
Addressing the field device level requires engineering expertise and is what makes control system cyber security different than IT/OT cyber security. Automation/process/relay engineers, field instrument/relay technicians, etc. are not OT but Engineering whereas OT is the network engineers and network technicians. Consequently, the real culture gap is between Engineering and IT/OT.
I had an awakening as to the much greater than realized disconnect between what is said in the literature and courses and what we need to know as practitioners as I was giving guest lectures and labs to chemical engineering students on PID control. We are increasingly messed up.