The security of operational technology (OT) networks are a growing concern as it involves the world’s factories, utilities, healthcare, public transportation companies, energy facilities, and more–all of which have seen an enormous transformation in recent years.
However, along with these efficiency gains–including supervisory control and data acquisition (SCADA) systems that are now connected to the Internet–comes a sharp rise in cyber risk. That’s because these previously “air-gapped” systems that were once fully isolated from the Internet are now connected to it, exposing its broad attack surface to new cyber risks.
And now, in 2020, there is the added challenge of facing the risks presented by Covid-19, including more employees working from home and the adoption of new technologies designed to support a remote workforce.
To shed light on these and other OT security challenges, Fortinet has released the 2020 State of Operational Technology and Cybersecurity Report. The study exclusively targeted individuals responsible for some aspect of manufacturing or plant operations, and with job titles ranging from manager to vice president. All respondents also work at companies involved in one of four industries, including manufacturing, energy and utilities, healthcare and transportation.
The study highlights four main trends that help illustrate the current state of OT security across organisations:
OT leaders have a broad set of responsibilities, including cybersecurity
OT leaders typically report to higher-ranking individuals within the organisation, such as a VP, COO, or the CEO. The overwhelming majority (80%) are also regularly involved in making cybersecurity decisions, with half having the final say in those decisions. Sixty-four percent of OT leaders have also taken on the responsibility of embedding security within the operations process, and 71% are regularly involved in IT cybersecurity strategy.
Because cybersecurity is a top priority for these individuals, trends show that matters related to OT security will soon become the responsibility of the CISO, if they are not already. The inevitability of this shift is highlighted by the fact that most (61%) respondents stated that they expect their CISO to take on all OT security responsibilities in the coming year. This is likely due to the increased risk of connected OT systems and their impact on business continuity.
Core cybersecurity protection is not featured within all OT infrastructures
The report also revealed gaps in many OT infrastructures that include security. For roughly 40% – 50% of those organisations surveyed, the following protocols and security features were missing:
* Security Information and Event Management (SIEM);
* Technical Operations Center (TOC);
* Security Operations Center (SOC);
* Network Operations Center (NOC);
* Internal network segmentation;
* Network access control; and
* Multifactor authentication.
While more than half (58%) of organisations are seeing their budgets increase in 2020, it should also be noted that 15% are instead seeing a decrease in funding, which could be connected to Covid-19-related revenue losses.
Security measurements and analysis remain a challenge for OT leaders
The Fortinet survey found that between 36% and 57% of organisations lack consistency when it comes to measuring items on a list of standard metrics. Among the most commonly tracked and reported areas are vulnerabilities (64%), intrusions (57%), and cost reduction resulting from cybersecurity efforts (58%).
Conversely, fewer than half of organisations (43%) are known to report on tangible risk management outcomes, and 39% to 50% do not routinely share basic cybersecurity data with senior executive leadership.
Respondents also cited security analysis, monitoring, and assessment tools as among the most essential features in security solutions, with the majority (58%) ranking these specific attributes in the top three.
Despite the prioritisation of these features, however, 53% reported that security solutions hinder operational flexibility and half reported that they create more complexity.
Most OT leaders struggle to prevent intrusions
The majority of responding organisations also reported that they had been largely unsuccessful at preventing cyber criminals from exploiting their systems, with only 8% stating that they had had no intrusions over the past 12 months. Among those surveyed, it was also found that:
* 90% have experienced at least one intrusion in the past year;
* 72% have experienced three or more intrusions in the past year; and
* 26% have experienced six or more intrusions in the past year.
The impact of these exploitations was also noted by respondents, with more than half (51%) documenting lost productivity, 37% seeing operational outages impacting revenue, and 39% having their physical safety put at risk–a significant concern considering the inherent dangers of industrial facilities.
OT leaders also noted the commonality of specific attack methods, including malware (60%), phishing (43%), hackers (39%), ransomware (37%), denial-of-service (DDoS) attacks (27%), and insider breaches (18%).
This report also identified two subsets of respondents: those who had no intrusions during the past 12 months (top-tier) and those who experienced more than 10 intrusions during that same time (bottom-tier). Among those top-tier organisations, the following best practices were noted:
* Top-tier organisations are four times as likely to ensure that their OT activities are centrally visible to their security operations teams.
* They are also 133% more likely to track and report on vulnerabilities that were found and blocked.
* These organisations are twice as likely to have the CISO or CSO currently responsible for OT security.
* OT leaders within these organisations are 25% more likely to be directly responsible for embedding security into OT processes.
* Top-tier organisations are 25% more likely to have a NOC to ensure centralized visibility and monitoring of network activity.
* Top-tier OT leaders are 25% more likely to be measured by response time to security vulnerabilities, placing it as either a first or second priority.
* And these OT leaders are 25% more likely to report on compliance with industry regulations to executive leadership, suggesting automated compliance reporting that enables a real-time approach.
By following these seven best practices, OT leaders can expect benefits such as higher productivity levels, more robust cybersecurity defenses, and a better chance of keeping up with changes in the industry.