Full Report
On April 1, 2026, Dr. Darrell Eilts, CIO of the Sewage and Water Board of New Orleans, and I will be guests on the Grid Podcast. This discussion will not focus on IT/OT convergence. Instead, we will address a more fundamental issue: the need for true collaboration between engineering and network security. Network impacts are […]
Analysis Summary
# Best Practices: Bridging the Cultural Chasm Between Engineering and Network Security
## Overview
These practices address the fundamental cultural and operational disconnect between network security (IT) and engineering (OT). They focus on shifting the perspective from "data protection" to "process integrity," ensuring that cybersecurity measures account for the physical impacts of control system failures.
## Key Recommendations
### Immediate Actions
1. **Cross-Disciplinary Dialogue:** Initiate "ride-along" sessions where network security professionals shadow engineers in the field and vice versa to understand operational constraints versus security requirements.
2. **Impact Definition Re-alignment:** Categorize system risks into two distinct buckets: Network Impacts (data failures/breaches) and Control System Impacts (physical/process failures).
3. **Joint Incident Response Planning:** Include lead engineers in cybersecurity tabletop exercises and include security analysts in operational safety reviews.
### Short-term Improvements (1-3 months)
1. **Integrated Risk Assessments:** Conduct unified risk assessments that evaluate how a network security control (e.g., automated patching or port blocking) might affect physical process uptime and safety.
2. **Shared Metrics:** Implement KPIs that reflect both security health and process stability, ensuring that security goals do not undermine operational availability.
3. **Cross-Training Attendance:** Send cybersecurity staff to engineering/technical conferences and engineers to security-focused summits to bridge the knowledge gap.
### Long-term Strategy (3+ months)
1. **Develop a Unified "Cyber-Physical" Culture:** Formulate a governance structure where the CIO (Network Security) and the VP of Operations (Engineering) share accountability for infrastructure resilience.
2. **Standardize Communication Protocols:** Establish a common language/taxonomy for describing threats that translates technical network jargon into physical risk metrics (e.g., Gallons per Minute, Voltage Stability).
3. **Architecture Co-Design:** Mandate that all new OT infrastructure projects require a joint sign-off from both Network Security and Engineering at the design phase, rather than treating security as an "add-on."
## Implementation Guidance
### For Small Organizations
- Focus on informal regular meetings between the IT lead and the Plant Manager.
- Prioritize visibility of network traffic over active blocking to prevent accidental process disruption.
### For Medium Organizations
- Appoint an "OT Security Liaison" who has a background in both fields to mediate conflicting priorities.
- Use semi-automated configuration monitoring to ensure both security and process consistency.
### For Large Enterprises
- Establish a formal "Cyber-Physical Security COE" (Center of Excellence).
- Implement hardware-enforced security (e.g., unidirectional gateways) where network security needs to be absolute without risking command injection into process loops.
## Configuration Examples
While the article focuses on cultural integration, technical alignment involves:
- **Passive Monitoring:** Configure SPAN/Mirror ports on industrial switches to allow network security tools to "see" traffic without the risk of adding latency or dropping process-critical packets.
- **Access Control Lists (ACLs):** Explicitly permit industrial protocols (Modbus, DNP3, CIP) before implementing "Deny All" rules, with verified input from the engineering team on required ports.
## Compliance Alignment
- **NIST SP 800-82:** Guide to Industrial Control Systems (ICS) Security.
- **ISA/IEC 62443:** Security for industrial automation and control systems.
- **NERC CIP:** Critical Infrastructure Protection standards for the power grid.
## Common Pitfalls to Avoid
- **Treating OT as "Standard IT":** Applying IT-centric security policies (like forced reboots for updates) without accounting for 24/7 physical process requirements.
- **Siloed Information:** Keeping engineering data and network security logs in separate platforms, preventing a holistic view of "Cyber-Physical" events.
- **The "Culture of No":** Security teams blocking engineering needs without offering viable, safe alternatives.
## Resources
- **The Grid Podcast:** hxxps://www.youtube.com/@thegridpodcast777
- **Reference Paper:** “Packets and Process: What Network Security and Engineering Get Wrong About Each Other” (IEEE Computer magazine, June 2026).
- **Expert Blog:** hxxps://scadamag.infracritical.com/ (Joe Weiss – Unfettered)