business

Taking the journey from IT to OT security. My findings so far (James Sandrone)

 
JamesSandrone.jpg
 

Hi, I am James Sandrone, the senior business solutions consultant at Awen Collective and I’m an OT security newbie.

Seven months ago I started working for the fabulous Industrial cyber security start-up called Awen Collective. This presented an exciting opportunity to grow both on the business development and technical side. With this came the promise to be part of something from the ground up, that could really make a difference. Through my experience of putting together CISO & CIO events for a previous employer, cyber was certainly a strong area of interest for the next step of my professional journey. My limited experience in cyber told me that it is about trust and integrity, and I wanted to work within an area with these attributes.

Through some mutual connections that understood both mine, and my then potential employers, needs and ambitions, I joined a fantastic team at Awen Collective. Awen believed in me and gave me the platform to put my ideas into practise to grow the business. Not only that, the key values of trust and integrity were clear to see from the start, and I needed to dig deep into understanding the market and the technologies. 

So the first question I wanted asked myself was, OT & IT - what are the differences? Well, If I had to explain this 7 months ago then I would have broken it down like this: IT deals with information, while OT (Operational Technology) deals with machines, and while OT manages the operation of physical processes and the machinery used to carry them out, IT manages the flow of digital information. But it got a little confusing to me, as they can often cross over through contemporary ICS (Industrial Control Systems) and Industrial Internet of Things (IIoT) and their connection to the internet also. The real big problem that I initially discovered was that the OT involved in these systems is sometimes old, and was not designed to be secure against this kind of connectivity and risk. In contrast, the risk within IT is far better understood and mitigated.  

I wanted to dig a bit deeper into the perspective of an Industrial CISO / OT Cyber professional… so that's exactly what I did! Months of engaging with these experts in all parts of the world (to understand if this was a global problem). I noticed a common feeling among the community, that there is a lot of noise at the moment around OT cyber solutions and what they promise to deliver, but the reality is very different and in fact, unfortunately, there is a lot of disappointment in the current solutions on the market and what they offer. This, of course, naturally made it easier for me to engage with industrial organisations, as OT cyber needs were far from being met.

The great thing is that through speaking with many people within cyber security, it seems that the awareness and need for a better OT cyber solution is growing. As is the community of people who want to make a difference by better understanding cyber resilience. After all, our Critical National Infrastructure has significant cyber risk, and a threat to industry is a threat to every one of us. We, as the cyber security community, need to get this right. We can definitely keep society a little safer by reducing the risk of cyber attacks on our essential services, I encourage any of you in the cyber world that feel the same way, to get in touch and see how we can tackle this problem together!