Busting the Air Gap Myth: OT Security's Blind Spot
Cappelli of Dragos on Breaking Down IT-OT Security Myths and Building ResilienceOrganizations' persistent belief in air-gapped systems continues to leave them vulnerable to cyberthreats. This misconception poses significant risks as threat actors increasingly target critical infrastructure through IT-OT convergence points, said Dawn Cappelli, director of OT-CERT at Dragos.
"At Dragos, that's what we do. We do only industrial cybersecurity, and we have never found an organization that is truly air gapped," Cappelli said. "When you do converge your IT and OT, even if it's just sporadically and not a constant connection. That's how most of the attacks that impact OT get into the network. They get in through a phishing email or an unpatched vulnerability into IT, and they move into OT from there."
Cappelli explained the need for a more nuanced approach to vulnerability management in OT environments. "Our threat intelligence team looks at every vulnerability that comes out in ICS equipment, and we found that only 2% to 3% of the vulnerabilities need to be patched now," she said, advocating for a "now, next, never" approach that aligns with operational activities.
The key to building resilience, Cappelli said, lies in collaborative security strategies: "People would ask me who owns the OT security program? And I said, it's IT and OT, we developed it together, we designed it together, and we're implementing it together."
In this video interview with Information Security Media Group at the GovWare Conference and Exhibition 2024, Cappelli also discussed:
- The critical need for specialized OT monitoring solutions and protocols;
- Risk-based approaches to vulnerability management in industrial systems;
- How nation-state actors and hacktivists target critical infrastructure.
Cappelli provides free resources to help small and medium-sized businesses to address cybersecurity risks in industrial infrastructure. In a career spanning more than 20 years, she has worked with global industry, government and intelligence leaders on cybersecurity issues.