The Institute for Homeland Security at Sam Houston State University published my paper –Whos_in_Charge_of_OT_Security.pdf (ihsonline.org). CISOs have traditionally been responsible for cyber security of enterprise IT networks excluding the control system (operational) assets which were under the purview of the engineering organizations. After the 2006 Gartner Research paper that coined the term “OT”, the CISOs have been given the additional responsibility for cyber securing OT assets without a firm understanding of the technical constraints of OT systems. Unfortunately, that change frequently has resulted in OT systems being operationally impacted by employing network cyber security technologies and testing that worked for IT but not OT inadvertently impacting control system reliability. In many cases, CISOs or their organizations have excluded engineering organizations from participating in OT cyber security which has caused further organizational chasms between the engineering and network security organizations. Consequently, the purpose of the paper is to address the question of which team in the organization should oversee OT cyber security to maximize security effectiveness and minimize potential inadvertent operational impacts of OT systems.
