Security

Cyber Security Falls Through the Gap Between OT & IT Responsibility

Copy article link
Over recent decades, as buildings have developed greater connectivity, the starkly different worlds of Operational Technology (OT) and Information Technology (IT) have found themselves converging in the emerging smart buildings space. In this new landscape, OT teams find themselves victim to cyber threats that they have never had to deal with before, while IT teams struggle to get to grips with cyber security for physical systems. The result is a dangerously wide range of smart building cyber security vulnerabilities that no one is taking responsibility for. “This segmentation and segregation from the IT networks was historically seen as adequate protection from the majority of cyber security risks, with IT & security professionals adopting an “out of sight, out of mind” attitude to OT systems, with these systems rarely being subject to the same levels of monitoring or cyber hygiene as IT systems,” reads our new cyber security research. “Roll forward to today, with the built environment rapidly […]

Stay ahead of the pack

with the latest independent smart building research and thought leadership.

Have an account? Login

Subscribe Now for just $200 per year per user (just $17 USD per month) for Access to Quality Independent Smart Building Research & Analysis!

What Exactly Do you Get?

  • Access to Website Articles and Notes. Unlimited Access to the Library of over 1,700 Articles Spanning 10 Years.
  • 10% discount on ALL Memoori Research reports for Subscribers! So if you only buy ONE report you will get your subscription fee back!
  • Industry-leading Analysis Every Week, Direct to your Inbox.
  • AND Cancel at any time
Subscribe Now

Want a Corporate or Group subscription? Get in touch.
Email us at: support@memoori.com

Over recent decades, as buildings have developed greater connectivity, the starkly different worlds of Operational Technology (OT) and Information Technology (IT) have found themselves converging in the emerging smart buildings space. In this new landscape, OT teams find themselves victim to cyber threats that they have never had to deal with before, while IT teams struggle to get to grips with cyber security for physical systems. The result is a dangerously wide range of smart building cyber security vulnerabilities that no one is taking responsibility for.

“This segmentation and segregation from the IT networks was historically seen as adequate protection from the majority of cyber security risks, with IT & security professionals adopting an “out of sight, out of mind” attitude to OT systems, with these systems rarely being subject to the same levels of monitoring or cyber hygiene as IT systems,” reads our new cyber security research. “Roll forward to today, with the built environment rapidly transforming into its own digital ecosystem, with building systems increasingly linked to other corporate systems and networks, and a historic failure to focus (and invest in) securing OT systems comes starkly into focus.”

“Having OT systems interconnected to other building networks and exposed to the internet significantly increases the security risk, making building systems susceptible to IP-based vulnerabilities, such as authentication bypass and insufficient encryption of critical data,” explains the new market report. “Worse still, OT environments also suffer from additional vulnerabilities relative to IT systems, due to lack of overall focus on cyber security concerns in the OT domain, its historic isolationism and the ongoing usage of thousands of legacy devices operating on unsecure protocols.”

Typically, OT teams are not equipped to defend their increasingly connected assets from cyber-attack, while IT teams tend to focus on network cyber security and neglect the novel vulnerabilities of the OT world. Hackers around the world are now identifying weaknesses that emerge in the gaps between OT and IT defences, giving them an easy route into the building network where all connected systems are at risk. This cyber weak spot is then further exacerbated by blurred lines of ownership and control and divergent systems priorities between IT departments, facilities staff, vendors and third-party contractors.

“Cybersecurity programs run by IT departments don’t typically address risks related to building automation. Meanwhile, OT staff have historically not focused on, or been effectively trained to manage the cyber risks that are now facing smart buildings. This situation means that responsibility for the cyber risk management of smart building systems falls in the cracks between OT and IT teams,” warns the comprehensive cybersecurity report. “Significant differences in IT and OT cultures must be overcome to drive effective collaboration and cross-domain support and alignment on objectives, expectations, and decision-making processes.”

2021 survey by SANS found that the responsibility for the security of industrial control systems ultimately fell on IT managers in 39% of organizations, followed by CIO/CISO or other corporate-level IT or security executives at 34.6%, then systems owners/operators at 34.1%. In a significant 16.6% of cases, organizations even delegate responsibility for cyber security control to the vendors or suppliers who originally built the solution. This ambiguous system of cybersecurity responsibility can significantly increase the level of risk faced by buildings, and clear governance policies must be established for each stakeholder group to address the persistent cyber threat in a holistic and sustainable way.

“Successful IT/OT convergence will require close cooperation between the previously separate IT and OT groups with improved understanding of each respective party’s culture, priorities, practices, and technologies to properly mitigate emerging cyber threats. A wide range of different stakeholders may have a role to play in maintaining effective cyber security for smart building systems at different points in the building life cycle,” explains the brand new report. “Developing integrated IT/OT security that is capable of delivering cohesive and coordinated cross-domain risk mitigation and response can be critical to ensuring that responsibility for the cyber security of smart building assets does not fall through the gaps”.

Most Popular Articles

Complimentary Article Building Data UNS Unified Namespace
Smart Buildings

#Podcast 29: How Can We Fix Building Data Integration Problems?

In our Podcast series “Sh*t You Wish Your Building Did!”, Memoori explores the intersection between technology and commercial buildings through interesting conversations. For Episode 29, we were joined by Brahm Lategan, Smart Building Consultant at MiX. We dived into the world of Commercial IoT Building Data. Why are data integration problems in commercial buildings so […]

Complimentary Article AI Interface Commercial Buildings
Smart Buildings

Recording: AI as an Interface for Commercial Buildings

Here is the recording and presentation from our live stream with Jonathan McFarlane from PlaceOS discussing how AI Large Language Models (LLMs) will change the way we interact with our buildings. The future of building system user interfaces is not dashboards! Artificial Intelligence, and specifically LLMs, will change commercial building system interactions from “point & […]

Matterport Costar Acquisition
Smart Buildings

What’s Behind the Acquisition of Matterport by CoStar?

In this Research Note, we examine what’s behind the Costar acquisition of Matterport, the US digital twin business founded in 2011. This analysis is based on Matterport’s investor presentation 20th February 2024, 10K Annual Reports, and recent press releases. CoStar Business Founded in 1987, CoStar Group is a $2.5 billion revenue company, operating some of […]

Subscribe to the Newsletter & get all our Articles & Research Delivered Straight to your Inbox.

Please enter a valid email

Please enter your name

Please enter company name

By signing up you agree to our privacy policy