IT and OT are fundamentally different: Robert M. Lee, CEO and co-founder of cybersecurity company Dragos, Inc., also spoke at the hearing, pointing out that enterprises and regulators must “recognize and account for” the differences between information technology (IT) and OT systems.”IT and OT systems differ fundamentally in both purpose and operation,” he said. “While some traditional IT controls have been adapted for OT, the security mindset must differ.”While IT supports how a business is managed, OT enables physical functions at an organization’s core, such as controlling pumps or chemical levels at a water facility. These two different missions should shape how risks are assessed and managed, said Lee.”While an adversary might exploit similar vulnerabilities in IT and OT systems, the consequences and adversary behavior differ,” he said. Whereas a breach in an IT system may result in data theft, in OT it could lead to “physical disruption, equipment damage, or even loss of life.”Despite this, infrastructure operators have been underinvesting in OT security. Based on Lee’s anecdotal experience, about 95% of cyber spend is focused on IT, and just 5% on OT. The latter also have distinct operational demands: Systems often must run continuously for years, require redundancy, and depend on precise, millisecond-level responsiveness.Cybersecurity mindsets must account for OT’s unique physical environments, long hardware lifecycles, and evolving threats, said Lee. These dictate different practices, technologies, and policy responses. “Regulators and policymakers must recognize these critical distinctions when setting policy,” he said.He warned: “Let’s be clear: The timeline to take action against this growing threat is short, and the consequences of failure could, and likely would, be people dying.”
The importance of CISA 2015: Ten years ago, US lawmakers passed the Cybersecurity Information Sharing Act of 2015, which encouraged the sharing of cyber threat intelligence between the government and the private sector as a means to improve cybersecurity throughout the country. However, its lifetime was finite; the Act is set to expire on September 30, 2025.Tatyana Bolton, executive director of the Operational Technology Cybersecurity Coalition, along with many other experts, are calling for the reauthorization of the act.”This legislation is crucial to information sharing and strengthening US collective defense,” she said at today’s hearing.Private sector cybersecurity teams, particularly those protecting critical infrastructure, rely on information-sharing to strengthen their defenses, Bolton said, calling these communication channels “crucial” for supporting national threat awareness and allowing for rapid responses to cyber incidents.”If the legal protections established by the Act were to lapse, this flow of information would be disrupted,” she warned.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4026959/warning-to-feds-us-infrastructure-is-under-silent-attack.html
