Editorial

Why IT/OT security is on the 2025 agenda for public sector CISOs

In this Q&A, Andrew Lintell, general manager, EMEA at Claroty, explores how CISOs need to lead the charge in establishing cybersecurity as an enabler of resilience and operational success in a digital future.

Posted 31 December 2024 by Christine Horton


1. Why is IT-OT security convergence becoming a top priority for CISOs in critical sectors?

Digital transformation is ramping up in all sectors, and with an estimated $4 trillion to be spent on digital transformation by 2027, this trend is showing no signs of slowing.

This has markedly impacted public infrastructure like energy, water, transportation, which is heavily dependent on physical systems governed by operational technology (OT). Previously this sat separately from traditional IT but now is under the same umbrella. Similarly, building management systems are another very prominent OT element in the UK public sector. Cyber-physical systems (CPS) like HVAC and building access controls see many of the same security issues.

Now, the rapid convergence between IT and OT means cybercriminals have a way to access critical systems that were previously closed off. This leaves public sector organisations highly vulnerable, particularly to disruptive attacks, like ransomware, that target service provision.

Many security heads, especially those from IT backgrounds, must now navigate a steep learning curve to address the distinct operational risks of cyber-physical systems.

2. What sort of changes do CISOs need to establish OT security in public services?

CISOs trying to secure our public infrastructure often find themselves trying to fill round holes with square pegs. One-size-fits-all IT security processes cannot fit into OT environments, which have unique protocols that IT tools don’t recognize and a stark intolerance for downtime that IT tools typically require to push software updates and patches.

The Security Operations Centre (SOC) is a prime example. It’s one of the most essential assets in any security strategy, but traditional SOCs are geared around standard IT environments and often cannot manage the needs of an OT-heavy operation.

The answer is a vertical, sector-specific SOC for OT operations, which addresses the unique challenges such as highly distributed operations, legacy systems, and high uptime requirements.

One of the key benefits of sector-specific SOCs is enhanced visibility. The combination of legacy and modern systems from multiple vendors in public infrastructure makes it difficult to identify vulnerabilities or detect abnormal behaviour. Sector-specific SOCs can centralise monitoring, providing real-time insights into potential threats while accommodating the nuances of OT infrastructure.

Speed is another factor here. Public services, such as the national energy grid, must respond rapidly to cyber threats to prevent disruptions to essential services. Tailored SOCs offer incident response capabilities designed to mitigate downtime.

Vertical SOCs also help public sector organisations manage third-party risks, which are becoming increasingly  prevalent in OT environments due to the rise in remote access tools. By centralising security operations, these SOCs create a unified approach to monitoring and protecting against supply chain vulnerabilities.

3. What other assets do CISOs need to secure OT environments?

One of the biggest differences between IT and OT security is the often highly dispersed set-up in physical systems. Most IT security actions can be carried out just as easily if the team is in the same building or located in another country. OT systems, however, were designed with physical access in mind, and are geographically widespread. Critical sectors like power grids can be spread through dozens of power substations hundreds of miles apart.

As a result, security teams are left with a highly fragmented and disparate set of systems to monitor and secure. Manual intervention on such widespread infrastructure is challenging at the best of times, let alone when facing an active cyber threat.

A centralised and secure access solution is critical to simplify the management of distributed systems, ensuring that authorised personnel can monitor, update, and repair systems without compromising security. By consolidating remote access mechanisms, public sector organisations not only enhance security but also reduce maintenance overheads and improve resource efficiency. This also allows for critical IT security strategies to be applied uniformly across CPS and remove blind spots.

4. What other challenges do public sector organisations face when implementing IT-OT security strategies?

The unique characteristics of OT environments and the limitations of legacy systems can make effective security difficult, and the public sector has an extra layer of challenges to consider compared to private sector counterparts.

Many OT systems in public services were designed decades ago with little consideration for cybersecurity. Retrofitting these systems to meet modern security standards is costly and disruptive.

The cultural divide between IT and OT teams presents another hurdle. Historically, IT teams have focused on data confidentiality and compliance, while OT teams prioritise uptime and safety. Aligning these divergent priorities requires strong leadership and collaborative efforts.

Tying into this is the skills gap. This is an omnipresent issue in cybersecurity, even more complicated in OT security. Individuals with the necessary blend of OT and IT expertise are in short supply.  Lower public sector salaries often means that this high demand cannot be met.

Finally, regulatory pressures also weigh heavily. Public sector organisations must navigate complex compliance requirements while addressing their unique operational risks. Budget constraints also are an issue here, limiting the ability to invest in comprehensive IT-OT security measures.

5. How can public sector organisations start viewing cybersecurity as an enabler of operational success?

Cybersecurity is often seen as a burden – an obligation that must be met rather than an enabler that can have a positive outcome for the organisation.

For example, public sector security is often driven by regulatory compliance. The UK government is currently working on the Cyber Security Resilience Bill, which is expected to be the equivalent of the EU’s NIS 2, introducing new security responsibilities for critical infrastructure and adjacent public services. Areas like Building Management Systems already fall under the NCSC’s Cyber Assessment Framework (CAF), though this is not mandatory.

Regulations like these can help affect change, but they’re a double-edged sword as they can continue to frame security as a requirement rather than an enabler.

Public sector CISOs must reframe cyber as an opportunity. For example, organisations can reduce the risk of costly downtime – a critical factor for ensuring the reliable delivery of essential services to citizens.

Strong cybersecurity fosters public trust. Critical infrastructure service delivery is a public expectation and therefore cybersecurity must be prioritised.

Event Logo

If you are interested in this article, why not register to attend our Think Digital Identity and Cybersecurity for Government conference, where digital leaders tackle the most pressing issues facing government today.


Register Now