The security of operational technology (OT) networks is a growing concern as it involves the world’s factories, utilities, healthcare, public transportation companies, energy facilities, and more—all of which have seen an enormous transformation in recent years. For example, manufacturing and plant operations have become much more efficient, primarily due to a projected $40 billion OT hardware and software market that provides solutions designed to make operations more agile. However, along with these efficiency gains—including supervisory control and data acquisition (SCADA) systems that are now connected to the Internet—comes a sharp rise in cyber risk. That’s because these previously “air-gapped” systems that were once fully isolated from the Internet are now connected to it, exposing its broad attack surface to new cyber risks.
The challenges of securing industrial control systems (ICS) against cyber threats continue to dominate the everyday to-do lists of OT teams. In spite of almost daily attention from OT leaders, business operations are increasingly at risk, largely thanks to a growing number of intrusion strategies that get more sophisticated as time goes by. And now, in 2020, there is the added challenge of facing the risks presented by COVID-19, including more employees working from home and the adoption of new technologies designed to support a remote workforce.
To shed light on these and other OT security challenges, Fortinet has released the 2020 State of Operational Technology and Cybersecurity Report.
Providing Insight on OT Security
The increasing volume of cyber threats impacting ISC/SCADA systems has presented new challenges for OT leaders as they work to address their expanding attack surface and decide which cybersecurity strategies and solutions they should adopt. Understanding these challenges was the focus behind Fortinet’s latest study that exclusively targeted individuals responsible for some aspect of manufacturing or plant operations, and with job titles ranging from manager to vice president. All respondents also work at companies involved in one of four industries, including:
- Energy and Utilities
Among the gathered responses, this study highlights four main trends that help illustrate the current state of OT security across organizations:
1. OT Leaders Have a Broad Set of Responsibilities, Including Cybersecurity
OT leaders typically report to higher-ranking individuals within the organization, such as a VP, COO, or the CEO. The overwhelming majority (80%) are also regularly involved in making cybersecurity decisions, with half having the final say in those decisions. 64% of OT leaders have also taken on the responsibility of embedding security within the operations process, and 71% are regularly involved in IT cybersecurity strategy.
Because cybersecurity is a top priority for these individuals, trends show that matters related to OT security will soon become the responsibility of the CISO, if they are not already. The inevitability of this shift is highlighted by the fact that most (61%) respondents stated that they expect their CISO to take on all OT security responsibilities in the coming year. This is likely due to the increased risk of connected OT systems and their impact on business continuity.
2. Core Cybersecurity Protection is Not Featured Within All OT Infrastructures
The report also revealed gaps in many OT infrastructures that include security. For roughly 40% – 50% of those organizations surveyed, the following protocols and security features were missing:
While more than half (58%) of organizations are seeing their budgets increase in 2020, it should also be noted that 15% are instead seeing a decrease in funding, which could be connected to COVID-19-related revenue losses.
3. Security Measurements and Analysis Remain a Challenge for OT Leaders
The Fortinet survey found that between 36% and 57% of organizations lack consistency when it comes to measuring items on a list of standard metrics. Among the most commonly tracked and reported areas are vulnerabilities (64%), intrusions (57%), and cost reduction resulting from cybersecurity efforts (58%). Conversely, less than half of organizations (43%) are known to report on tangible risk management outcomes, and 39% to 50% do not routinely share basic cybersecurity data with senior executive leadership.
Respondents also cited security analysis, monitoring, and assessment tools as among the most essential features in security solutions, with the majority (58%) ranking these specific attributes in the top 3. Despite the prioritization of these features, however, 53% reported that security solutions hinder operational flexibility and half reported that they create more complexity.
4. Most OT Leaders Struggle to Prevent Intrusions
The majority of responding organizations also reported that they had been largely unsuccessful at preventing cyber criminals from exploiting their systems, with only 8% stating that they had had no intrusions over the past 12 months. Among those surveyed, it was also found that:
- 90% have experienced at least one intrusion in the past year
- 72% have experienced three or more intrusions in the past year
- 26% have experienced six or more intrusions in the past year
The impact of these exploitations was also noted by respondents, with more than half (51%) documenting lost productivity, 37% seeing operational outages impacting revenue, and 39% having their physical safety put at risk—a significant concern considering the inherent dangers of industrial facilities.
OT leaders also noted the commonality of specific attack methods, including malware (60%), phishing (43%), hackers (39%), ransomware (37%), denial-of-service (DDoS) attacks (27%), and insider breaches (18%).
Security Best Practices in Operational Technology
This report also identified two subsets of respondents: those who had no intrusions during the past 12 months (top-tier) and those who experienced more than 10 intrusions during that same time (bottom-tier). Among those top-tier organizations, the following best practices were noted:
- Top-tier organizations are four times as likely to ensure that their OT activities are centrally visible to their security operations teams.
- They are also 133% more likely to track and report on vulnerabilities that were found and blocked.
- These organizations are twice as likely to have the CISO or CSO currently responsible for OT security.
- OT leaders within these organizations are 25% more likely to be directly responsible for embedding security into OT processes.
- Top-tier organizations are 25% more likely to have a NOC to ensure centralized visibility and monitoring of network activity.
- Top-tier OT leaders are 25% more likely to be measured by response time to security vulnerabilities, placing it as either a first or second priority.
- And these OT leaders are 25% more likely to report on compliance with industry regulations to executive leadership, suggesting automated compliance reporting that enables a real-time approach.
By following these seven best practices, OT leaders can expect benefits such as higher productivity levels, more robust cybersecurity defenses, and a better chance of keeping up with changes in the industry.
Amidst growing vulnerabilities among ICS/SCADA systems and an increasing volume of significant intrusions, this latest report shows that OT leaders are largely falling behind when it comes to cybersecurity. Many find it challenging to deploy the right security tools and keep up with the increasingly sophisticated cyber threats that await their newly-connected systems. Some, however, are managing their OT cybersecurity with success, as demonstrated by the top-tier organizations referenced in this report. By learning and following their best practices, making a commitment to promoting centralized visibility, and taking a proactive approach to security, organizations can turn the tables on cybercriminals to protect their critical OT infrastructures.