As recently mentioned, smart factory security continues to be a serious challenge. Yet, the same goes for operational technology (OT) and industrial cybersecurity in general, as a report on 2022 OT cybersecurity shows.
Cyberattacks targeting organizations with OT environments and systems have been growing for over a decade, especially since the accelerating convergence of OT and IT. This integration, characteristic of Industry 4.0 and IIoT, means that OT devices are more often connected to the internet, resulting in an expanded attack surface.
Moreover, modern OT environments are prone to software supply chain attacks, IT vulnerabilities, the many security challenges of the Internet of Things, and issues on the level of ICS (industrial control systems), SCADA systems, and other operational technology areas.
IT/OT interconnectedness has allowed threat actors to attack the cyber-physical systems of no-longer air-gapped OT environments, resulting in many serious incidents (Fortinet)
The integration of IT and OT also means that organizations leverage more solutions from different vendors to realize their digital transformation, which in turn increases the risks that come with more partners and suppliers. It’s a known fact that IT and OT integration doesn’t just mean that OT systems aren’t air-gapped anymore from IT systems. It also drives the growing need for third-party risk management (and for attack surface management and more security solutions).
Critical security gaps according to the global State of OT and Cybersecurity Report
Connected industries and technologies mean more cybersecurity risks and entry doors for potential attacks, with industrial control systems remaining a target for cybercriminals, requiring mature OT cybersecurity strategies.
In an increasingly connected world, OT security efforts are moving slowly toward the full protection of ICS and SCADA systems.
Most industrial companies realize it, and several cybersecurity vendors offer integrated OT security solutions to help tackle the challenges and reap the benefits of industrial automation and digitization more securely. Yet, this becomes an increasingly complex task. Attackers increasingly target organizations with OT systems in an ever more advanced threat landscape with more IoT devices and connected assets.
One of the companies offering integrated security solutions for IT and OT cybersecurity is Fortinet. In its “2022 State of Operational Technology and Cybersecurity Report,” the company looks at OT security’s evolution. A few results.
According to the global Fortinet research, there are quite some critical issues around OT and ICS security. The report, released end of June 2022, found that 93 percent of all organizations with OT environments experienced hacking in the past twelve months. Over three-quarters of respondents (78 percent) were even confronted with over three security incidents.
This year’s global State of OT and Cybersecurity Report demonstrates that while OT security has the attention of organizational leaders, critical security gaps remain. PLCs designed without security, continued intrusions, a lack of centralized visibility across OT activities, and growing connectivity to OT are some of the critical challenges these organizations need to address. (John Maddison, EVP of Products and CMO at Fortinet)
While these findings confirm that industrial control systems remain a target for cybercriminals, there are fortunately also several gaps and other areas where industrial security can be improved.
Per the report, security risks increase due to the lack of a central overview of OT activities, with only 13 percent of all respondents having realized such central oversight of all OT activities.
Moreover, only 52 percent of all organizations can monitor these OT processes from their security operations center (SOC). And this is even though 97 percent of all global organizations believe that OT contributes to enterprise-wide security risks to a moderate or significant extent.
When asked about the maturity of their organization’s OT security posture, only 21% of organizations have reached level 4, which includes leveraging orchestration and management. (2022 State of Operational Technology and Cybersecurity Report)
OT security – a growing concern for executive leaders
According to the Fortinet OT cybersecurity report, a second challenge is a lack of consistent accountability for OT security or OT security ‘ownership’ in the business. The report shows that, although OT security has the attention of executives on various levels, managing it is done by a wide variety of professionals.
In most cases, the final responsibility for OT security is for the VP or director of network engineering or operations. The CTO and CISO/CSO are most often cited among the top three leaders influencing cybersecurity decisions, although their influence has declined compared with last year’s edition of the report.
Fortinet is skeptical about the speculation among respondents that responsibility for OT security will keep moving upward, as the trends regarding final responsibility seem to indicate. This skepticism is, among others, fueled by the mentioned declining influence of the CISO. Only 15% of respondents said the CISO is responsible for OT security in their organization.
Nevertheless, it’s clear that OT security has become a C-level issue. In that sense, it’s the same as in cybersecurity overall with, as Gartner says, the need to treat cybersecurity as a business decision.
Looking at the impact of OT-related security incidents on organizations’ productivity and bottom line, this shouldn’t come as a surprise. The “2022 State of Operational Technology and Cybersecurity Report” found that nearly half of all affected organizations experienced lost productivity due to downtime due to successful intrusion attempts.
Security converged into the OT networking infrastructure, including switches, access points, and firewalls, is essential to segment the environment. This, combined with a platform that spans OT, converged OT/IT, and IT, provides end-to-end visibility and control. (John Maddison)
In 90 percent, process recovery took hours or days. A third of respondents experienced lost revenue, data loss, compliance issues, or reputational damage as a result.
You can find more details in the “2022 State of Operational Technology and Cybersecurity Report“, and check out report highlights in this blog post on the Fortinet website.