Full Report
On April 1, 2026, Dr. Darrell Eilts, CIO of the Sewage and Water Board of New Orleans, and I will be guests on the Grid Podcast. This discussion will not focus on IT/OT convergence. Instead, we will address a more fundamental issue: the need for true collaboration between engineering and network security. Network impacts are […]
Analysis Summary
# Best Practices: Bridging the Cultural Chasm Between Engineering and Network Security
## Overview
These practices address the fundamental cultural and operational disconnect between Engineering (Operations) and Network Security (IT). The goal is to move beyond mere "IT/OT convergence" toward a collaborative model where physical process impacts (Engineering) and data integrity/availability (Security) are managed as a unified risk.
## Key Recommendations
### Immediate Actions
1. **Define Differential Impact:** Formally acknowledge in internal policy that network impacts are "data failures" while control system impacts are "physical impacts."
2. **Multidisciplinary Attendance:** Mandate that network security leads attend at least one engineering-focused operational meeting per month, and vice versa for engineering leads.
3. **Joint Incident Definition:** Create a shared glossary to ensure "cybersecurity" includes both malicious network activity and unintentional physical process deviations.
### Short-term Improvements (1-3 months)
1. **Cross-Pollination Training:** Implement "Control Systems 101" for IT security staff and "Network Hygiene 101" for engineers to build a common technical language.
2. **Integrated Risk Assessment:** Conduct a pilot risk assessment that maps a specific network vulnerability directly to a physical outcome (e.g., how a switch failure impacts a specific water pump).
3. **Collaborative KPI Development:** Establish shared performance metrics that reward both system uptime (Engineering goal) and protocol compliance (Security goal).
### Long-term Strategy (3+ months)
1. **Integrated Governance Structure:** Move away from siloed reporting lines. Establish a Liaison Office or a "Process Security" committee that reports directly to the CIO/COO.
2. **Joint Procurement Reviews:** Ensure all new Industrial Control System (ICS) hardware/software undergoes a joint review process focusing on both "Process Reliability" and "Network Defensibility."
3. **Cultural Alignment Incentives:** Align career development paths to encourage engineers to gain security certifications (e.g., GICSP) and security pros to gain process knowledge.
## Implementation Guidance
### For Small Organizations
- **The "Ride-Along":** Have the IT person shadow a field engineer for a day to understand the physical consequences of network latency or downtime.
- **Shared Tools:** Use a single ticketing system for both maintenance and security events to prevent information silos.
### For Medium Organizations
- **Liaison Roles:** Appoint a dedicated "OT Security Coordinator" who has a background in engineering but reports to the security office.
- **Tabletop Exercises:** Run simulations that require both the IT team to "stop the attack" and the Engineering team to "stabilize the process" simultaneously.
### For Large Enterprises
- **Center of Excellence:** Create a cross-functional ICS Security Center of Excellence (CoE) to standardize practices across multiple plants or regions.
- **Integrated SOC:** Incorporate process-level telemetry (sensor data) into the Security Operations Center (SOC) dashboards, not just network logs.
## Configuration Examples
*While the article focuses on cultural strategy, the following technical principle is implied:*
- **Non-Invasive Monitoring:** Configure network security tools (IDPS) in "Passive Mode" on OT networks to ensure security monitoring does not inject packets that could cause the "physical impacts" engineers fear.
- **Protocol Sanity Checks:** Configure firewalls to look for "Process Anomalies" (e.g., a legitimate command sent at an illegitimate time) rather than just "Signature Matches."
## Compliance Alignment
- **NIST SP 800-82:** Guide to Industrial Control Systems (ICS) Security.
- **ISA/IEC 62443:** Security for industrial automation and control systems (Focus on Zone and Conduit models).
- **NERC CIP:** For organizations involved in power/grid infrastructure (Relevant to the podcast context).
## Common Pitfalls to Avoid
- **Treating OT as "Dirty IT":** Applying standard IT patch management cycles to engineering systems without considering physical safety or uptime requirements.
- **Siloed Conferences:** Security teams only attending Black Hat/DEF CON while Engineers only attend IEEE/Technical summits; this reinforces the "Cultural Chasm."
- **Ignoring "Unintentional" Cyber Events:** Failing to recognize that a misconfigured PLC (Engineering error) is a security event because it impacts system integrity.
## Resources
- **The Grid Podcast:** hxxps://www[.]youtube[.]com/@thegridpodcast777
- **IEEE Computer Magazine:** (Upcoming June 2026 issue: "Packets and Process")
- **Control Global Unfettered Blog:** hxxps://www[.]controlglobal[.]com/blogs/unfettered
- **ISA Global Cybersecurity Alliance:** hxxps://www[.]isa[.]org/isagca