Exploring the Security Culture of Operational Technology (OT) Organisations: the Role of External Consultancy in Overcoming Organisational Barriers

Operational Technology (OT) refers to systems that control and monitor industrial processes. Organisations that use OT can be found in many sectors, including water and energy, and often operate a nation's critical infrastructure. These organisations have been under a digitalisation process, which along with increasing regulatory pressures have necessitated changes in their cybersecurity practices. The lack of internal resources has often compelled these organisations to turn to external consultancy to enhance their security. Given the differences between OT and Information Technology (IT) security practices and that OT cybersecurity is still in its infancy, developing a security culture in OT environments remains a challenge, with little research investigating this topic. We have conducted 33 interviews with professionals with a security related role working in various OT sec-tors in the UK, on the subject of security culture development. Our analysis indicates three key organisational barriers to the development of a security culture: governance structures, lack of communication between functions, and the lack of OT cybersecurity expertise. Subsequently, the role of consultants and security solution vendors in overcoming these barriers through consultancy is demonstrated. We therefore argue that these stakeholders play a crucial part in the development of security culture in OT and conclude with recommendations for these organisations.