The U.S. has an operational technology (OT) problem when it comes to cybersecurity, according to a senior security official at the Energy Department (DoE).
IT infrastructure has had a massive head start on OT systems when it comes to implementing effective cybersecurity measures, but as Paul Selby, DoE’s chief information security officer (CISO), points out, “we have an OT problem” – making it clear that it’s time to address these unique challenges.
One of those challenges, Selby explained, is the lack of basic cyber hygiene in some OT systems that critical infrastructure operators rely on.
“A lot of the OT in our critical infrastructure simply can’t support the basic cyber hygiene needed to protect our networks, which is incredibly alarming,” Selby said during a GovCIO event on April 3.
Equally alarming is the lack of visibility in OT networks, he explained. “We have visibility across the IT network, but the OT network is a bigger issue,” Selby said.
Selby highlighted a 2022 Fortinet report that found only 13 percent of critical infrastructure operators had visibility across their IT and OT networks.
Despite those daunting challenges, Selby said “we’re heading in the right direction.”
A more recent Fortinet report published last year found that the OT security posture shows notable progress on both ends of the mature technologies spectrum – with about 20 percent of organizations reporting establishing visibility into their OT networks.
Selby also emphasized that as the Federal government works to secure its networks, “there has to be a public-private partnership that includes the government, industry, and academia to solve the problem we’re facing today [because] make no mistake, we are already in the thick of it,” he said.
“We have to change our messaging to get the stakeholders and bring them into the template. We need to make them champions for what we do, and we can’t do that with fear alone,” Selby said.