Security

Cyber Security Falls Through the Gap Between OT & IT Responsibility

Copy article link
Over recent decades, as buildings have developed greater connectivity, the starkly different worlds of Operational Technology (OT) and Information Technology (IT) have found themselves converging in the emerging smart buildings space. In this new landscape, OT teams find themselves victim to cyber threats that they have never had to deal with before, while IT teams struggle to get to grips with cyber security for physical systems. The result is a dangerously wide range of smart building cyber security vulnerabilities that no one is taking responsibility for. “This segmentation and segregation from the IT networks was historically seen as adequate protection from the majority of cyber security risks, with IT & security professionals adopting an “out of sight, out of mind” attitude to OT systems, with these systems rarely being subject to the same levels of monitoring or cyber hygiene as IT systems,” reads our new cyber security research. “Roll forward to today, with the built environment rapidly […]

Stay ahead of the pack

with the latest independent smart building research and thought leadership.

Have an account? Login

Subscribe Now for just $180 USD per year per user ( just $15 USD per month) for Access to Quality Independent Smart Building Analysis!

What Exactly Do you Get?

  • Read every article published in full and get unlimited access to our archive of over 1,400 articles.
  • 10% discount on ALL Memoori Research reports for Subscribers! So if you only buy ONE report you will get your subscription fee back!
  • Industry-leading Analysis Every Week, Direct to your Inbox.
  • AND Cancel at any time
Subscribe Now

Want a Corporate or Group subscription? Get in touch.
Email us at: support@memoori.com

Over recent decades, as buildings have developed greater connectivity, the starkly different worlds of Operational Technology (OT) and Information Technology (IT) have found themselves converging in the emerging smart buildings space. In this new landscape, OT teams find themselves victim to cyber threats that they have never had to deal with before, while IT teams struggle to get to grips with cyber security for physical systems. The result is a dangerously wide range of smart building cyber security vulnerabilities that no one is taking responsibility for.

“This segmentation and segregation from the IT networks was historically seen as adequate protection from the majority of cyber security risks, with IT & security professionals adopting an “out of sight, out of mind” attitude to OT systems, with these systems rarely being subject to the same levels of monitoring or cyber hygiene as IT systems,” reads our new cyber security research. “Roll forward to today, with the built environment rapidly transforming into its own digital ecosystem, with building systems increasingly linked to other corporate systems and networks, and a historic failure to focus (and invest in) securing OT systems comes starkly into focus.”

“Having OT systems interconnected to other building networks and exposed to the internet significantly increases the security risk, making building systems susceptible to IP-based vulnerabilities, such as authentication bypass and insufficient encryption of critical data,” explains the new market report. “Worse still, OT environments also suffer from additional vulnerabilities relative to IT systems, due to lack of overall focus on cyber security concerns in the OT domain, its historic isolationism and the ongoing usage of thousands of legacy devices operating on unsecure protocols.”

Typically, OT teams are not equipped to defend their increasingly connected assets from cyber-attack, while IT teams tend to focus on network cyber security and neglect the novel vulnerabilities of the OT world. Hackers around the world are now identifying weaknesses that emerge in the gaps between OT and IT defences, giving them an easy route into the building network where all connected systems are at risk. This cyber weak spot is then further exacerbated by blurred lines of ownership and control and divergent systems priorities between IT departments, facilities staff, vendors and third-party contractors.

“Cybersecurity programs run by IT departments don’t typically address risks related to building automation. Meanwhile, OT staff have historically not focused on, or been effectively trained to manage the cyber risks that are now facing smart buildings. This situation means that responsibility for the cyber risk management of smart building systems falls in the cracks between OT and IT teams,” warns the comprehensive cybersecurity report. “Significant differences in IT and OT cultures must be overcome to drive effective collaboration and cross-domain support and alignment on objectives, expectations, and decision-making processes.”

2021 survey by SANS found that the responsibility for the security of industrial control systems ultimately fell on IT managers in 39% of organizations, followed by CIO/CISO or other corporate-level IT or security executives at 34.6%, then systems owners/operators at 34.1%. In a significant 16.6% of cases, organizations even delegate responsibility for cyber security control to the vendors or suppliers who originally built the solution. This ambiguous system of cybersecurity responsibility can significantly increase the level of risk faced by buildings, and clear governance policies must be established for each stakeholder group to address the persistent cyber threat in a holistic and sustainable way.

“Successful IT/OT convergence will require close cooperation between the previously separate IT and OT groups with improved understanding of each respective party’s culture, priorities, practices, and technologies to properly mitigate emerging cyber threats. A wide range of different stakeholders may have a role to play in maintaining effective cyber security for smart building systems at different points in the building life cycle,” explains the brand new report. “Developing integrated IT/OT security that is capable of delivering cohesive and coordinated cross-domain risk mitigation and response can be critical to ensuring that responsibility for the cyber security of smart building assets does not fall through the gaps”.

Most Popular Articles

Net Zero Buildings Balfour Hospital
Energy

Net Zero Buildings Explored – The Balfour Hospital

The Balfour Hospital in Kirkwall, on the remote Scottish islands of Orkney, has established itself as the first fully net-zero National Health Service (NHS) hospital in the UK in 2019. The £65 million facility, designed to accommodate 49 patients, has pioneered an innovative and sustainable approach to design, construction, and operation processes. Delivered by the […]

CXApp SPAC
Smart Buildings

Smart Building SPAC Trend Continues with Hybrid Work Play CXApp

Since 2019 the business world has been inundated with high-profile SPAC deals. And while we have certainly seen a slowdown in SPAC deals in recent months, the SPAC trend is by no means over. In the smart building industry, a new SPAC was completed this month, as workplace experience platform provider CXApp completed a business […]

Belimo
Energy

Belimo Building Controls Business & Growth Strategy 2022 Examined

In this Research Note, we examine the Belimo Group, based on their 2022 annual report, investor presentations, financial results announced on 6th March 2023 and their long-term growth strategy in the building automation field devices sector. Belimo Group, a listed company on the Swiss Stock Exchange, is headquartered in Hinwil, Switzerland with over 2,000 employees. […]

Subscribe to the Newsletter & get all our Articles & Research Delivered Straight to your Inbox.

Please enter a valid email

Please enter your name

Please enter company name

By signing up you agree to our privacy policy