Who’s responsible for operational technology?

Does it fall to the chief engineer or chief of technology?
4 June 2019

Factory worker programming a CNC milling machine. Source: Shutterstock

Operational technology (OT) is the use of computers to monitor or control a physical system— it refers to the control systems used in power stations, robots on production lines, or the control networks for rail systems.

As such, operational technology is an integral component of industry today, but as organizations become increasingly ‘digital’ and connected, the growth of IT in the same arenas is leading to questions around responsibility.

OT has been referred to as “IT in the non-carpeted areas”. But this distinction is far from clear, and there is confusion as to where within the business responsibility for OT security actually lies.

According to a new online poll by NTT Security, most respondents believed that the engineering function should have full oversight, rather than the IT department.

Respondents said there was a disconnect between OT and IT teams— 42 percent respondents believe OT security falls to the Engineering Director, while 38 percent said responsibility lay with the CTO. Just one in five, meanwhile, said it was the job of the CISO.

“It’s clear that arrangements for securing OT are a huge challenge for organizations, especially when it comes to identifying exactly what those risks are and the potential impact they may have on the business,” said Tim Ennis, Senior Operational Technology Consultant, Cyber Security Consulting at NTT Security.

“With greater connectivity and convergence with IT comes greater risks and these have to be managed accordingly.”

Having the right skills, and clear lines of responsibility are “fundamental” for organizations, according to Ennis, but there is no “one-size-fits-all” solution— this falls to individuals businesses to decide.

“It might be right that the CISO has responsibility, but equally it could be that the Engineering Director is best placed to do this.

“What is important is getting the right organizational structure in place that can empower and support the OT team to improve security, and to enable the business to achieve its objectives.”

In the ability to manage OT risk, a lack of appropriate skills was a crucial concern— while also cited a lack of visibility into networks to facilitate risk assessment.

While there has yet to be a significant cyber attack on telecommunications networks, the telecoms sector was regarded as most vulnerable to an OT attack, followed by utilities.

Interestingly, despite potential damage inflicted by compromising ‘smart factories’, just 13 percent considered manufacturing to be the most vulnerable.