Events , Governance & Risk Management , GovWare

Busting the Air Gap Myth: OT Security's Blind Spot

Cappelli of Dragos on Breaking Down IT-OT Security Myths and Building Resilience
Dawn Cappelli, director - OT-CERT, Dragos

Organizations' persistent belief in air-gapped systems continues to leave them vulnerable to cyberthreats. This misconception poses significant risks as threat actors increasingly target critical infrastructure through IT-OT convergence points, said Dawn Cappelli, director of OT-CERT at Dragos.

See Also: How Enterprise Browsers Enhance Security and Efficiency

"At Dragos, that's what we do. We do only industrial cybersecurity, and we have never found an organization that is truly air gapped," Cappelli said. "When you do converge your IT and OT, even if it's just sporadically and not a constant connection. That's how most of the attacks that impact OT get into the network. They get in through a phishing email or an unpatched vulnerability into IT, and they move into OT from there."

Cappelli explained the need for a more nuanced approach to vulnerability management in OT environments. "Our threat intelligence team looks at every vulnerability that comes out in ICS equipment, and we found that only 2% to 3% of the vulnerabilities need to be patched now," she said, advocating for a "now, next, never" approach that aligns with operational activities.

The key to building resilience, Cappelli said, lies in collaborative security strategies: "People would ask me who owns the OT security program? And I said, it's IT and OT, we developed it together, we designed it together, and we're implementing it together."

In this video interview with Information Security Media Group at the GovWare Conference and Exhibition 2024, Cappelli also discussed:

  • The critical need for specialized OT monitoring solutions and protocols;
  • Risk-based approaches to vulnerability management in industrial systems;
  • How nation-state actors and hacktivists target critical infrastructure.

Cappelli provides free resources to help small and medium-sized businesses to address cybersecurity risks in industrial infrastructure. In a career spanning more than 20 years, she has worked with global industry, government and intelligence leaders on cybersecurity issues.


About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.