Cybersecurity is an organizational initiative; a necessity. It’s not us (OT) versus them (IT). Cybersecurity is not solely a technology problem. IT standards do not always translate well to secure ICS/SCADA systems and processes; however, much can be gained by understanding IT security principles and how they may or may not relate to OT security. Likewise, IT security needs to know/understand the engineering and operations of control systems so together they can better architect secure solutions. For this transfer of knowledge and understanding to occur most effectively, we need each other.
At the risk of being IT/OT cliché, our knowledge and understanding must converge, even in a ‘never the twain shall meet’ network architecture. While IT security and ICS/SCADA functions may never converge, the teams need to combine knowledge. Despite the disproportionate staffing of IT security versus ICS/SCADA security, the most successful organizational cybersecurity programs consist of both teams wanting to understand the roles and responsibilities of the other to better secure the organization (utility) as a whole.
To that end, WaterISAC kicked off the inaugural Cybersecurity Advisory Committee meeting yesterday. The Cybersecurity Advisory Committee is composed of a diverse group of members with backgrounds and experience from small, medium, and large water/wastewater utilities at varying levels of IT and OT cybersecurity maturity. The primary goal of convening this committee is to bring together a wealth of experience into one trusted group to share their institutional knowledge and insights so WaterISAC can better meet the OT and IT cybersecurity needs of its members. The initial charge of the Cybersecurity Advisory Committee is to provide feedback for improving existing cybersecurity products and services and sharing ideas for new cybersecurity initiatives.