Digital security incidents involving operational technology (OT) can have big impacts on the physical world. Why are these OT security incidents happening? A lack of understanding of how the different elements of DevSecOps fit together can contribute. This also shows the importance of crossover between engineering and cybersecurity.

In March 2021, for instance, Fortinet found over 90% of organizations with OT assets admitted to having suffered at least one security incident in the past year. 12% said that their employers had faced a minimum of 10 incidents in that period. Those events disrupted work for more than half of respondents, the study found. Meanwhile, public safety became an issue in 45% of cases.

Facing IT-OT Challenges with DevSecOps

One problem facing OT security is the convergence of industrial environments with information technology (IT) assets. Both IT and OT suffer from similar types of security threats in some respects. Unwanted access, password reuse, malware attacks and other problems can hit both. But the two often have conflicting needs due to the nature of their business. OT sees availability as a means of preventing physical danger and ensuring public safety. Meanwhile, IT puts secrecy first in the ongoing fight against data breaches.

IT and OT don’t always know where their counterparts stand. Nor do they have a reference point to start to understand each other. This lack of teamwork complicates the task of extending security across both. In response, attackers might exploit a lack of integration and/or visibility between IT and OT. By targeting assets in one, they can pivot to the other. For example, threat actors can use IT security weaknesses to disrupt industrial control systems, make changes to OT assets and/or interfere with safety equipment. So, where does DevSecOps come in?

Cybersecurity Education for Engineers Matters to DevSecOps

So, how do you defend against OT attacks and account for the challenges of the ongoing IT-OT convergence? One way is to focus on providing engineers with cybersecurity education. Getting engineers involved in development helps further secure the DevSecOps collaborative system.

Critical infrastructure organizations need engineers more than others. After all, engineers operate on the front lines. These personnel help design, implement and maintain industrial environments. They’re in a position to help those environments evolve with and stay safe amid the IT-OT convergence. But, in order to do so, they need to understand the threats confronting them.

More on cybersecurity training

How to Provide Cybersecurity Education to Engineers

When it comes time to provide engineers with cybersecurity education, it’s important not to approach their security awareness training the same way as you would with non-tech employees on the IT side. A one-size-fits-all approach will not work. Those two groups confront different threats on a daily basis, after all. Learning about problems that don’t pertain to their jobs will waste their time or even make them more complacent.

Knowing that, cultivate engineers’ awareness of threats that are relevant to them. Use training modules in tandem with threat intelligence to emphasize new attack campaigns confronting critical infrastructure, for instance. In addition, conduct tests that highlight secure OT system design as those principles evolve with the changing threat landscape. This way, your engineers will find their own place in the DevSecOps framework.

More from Risk Management

Are you ready to build your organization’s digital trust?

4 min read - As organizations continue their digital transformation journey, they need to be able to trust that their digital assets are secure. That’s not easy in today’s environment, as the numbers and sophistication of cyberattacks increase and organizations face challenges from remote work and insider behavior. Digital trust can make your organization’s digital transformation stronger. A lack of digital trust can do irreparable harm. However, according to ISACA’s State of Digital Trust 2023 report, too many organizations struggle to define and implement…

Most organizations want security vendor consolidation

4 min read - Cybersecurity is complicated, to say the least. Maintaining a strong security posture goes far beyond knowing about attack groups and their devious TTPs. Merely understanding, coordinating and unifying security tools can be challenging. We quickly passed through the “not if, but when” stage of cyberattacks. Now, it’s commonplace for companies to have experienced multiple breaches. Today, cybersecurity has taken a seat in core business strategy discussions as the risks and costs have risen dramatically. For this reason, 75% of organizations…

How IBM secures the U.S. Open

2 min read - More than 15 million tennis fans around the world visited the US Open app and website this year, checking scores, poring over statistics and watching highlights from hundreds of matches over the two weeks of the tournament. To help develop this world-class digital experience, IBM Consulting worked closely with the USTA, developing powerful generative AI models that transform tennis data into insights and original content. Using IBM watsonx, a next-generation AI and data platform, the team built and managed the entire…

How NIST Cybersecurity Framework 2.0 Tackles Risk Management

4 min read - The NIST Cybersecurity Framework 2.0 (CSF) is moving into its final stages before its 2024 implementation. After the public discussion period to inform decisions for the framework closed in May, it’s time to learn more about what to expect from the changes to the guidelines. The updated CSF is being aligned with the Biden Administration’s National Cybersecurity Strategy, according to Cherilyn Pascoe, senior technology policy advisor with NIST, at the 2023 RSA Conference. This sets up the new CSF to…