OT teams struggle to keep pace with cybersecurity
The world of operational technology (OT) has undergone enormous transformation in recent years, fueling efficiency gains in the world’s factories, transportation and energy companies.
Today’s supervisory control and data acquisition (SCADA) systems are increasingly connected to the internet, which makes them conditionally more accessible and potentially at risk despite the intelligence value gained via cloud-based analytics.
However, along with the perceived operational efficiency gains has come a sharp rise in cyber risk. Systems once “air-gapped” and fully isolated from the internet are now part of the connected world and exposed to the threats that come with that expanded attack surface.
Just how big a challenge that has become was apparent in Fortinet’s 2020 State of the Operational Technology and Security Report. It found that the challenges of securing OT systems continues to dominate to-do lists as OT leaders grapple with ever-more sophisticated attack strategies.
Layer in the complexity of managing the business challenges surfacing due to COVID-19 and it’s clear that the way forward for organizations will not be trivial.
The report identified four main trends that underscore the state of OT security across organizations. Properly understood, these can enable the industry to create a more secure and efficient OT environment.
OT security trends
First, it’s clear OT leaders are getting their hands dirty. Eighty per cent of those polled shared that they are regularly involved in making cybersecurity decisions for their organizations, and more than half suggested they have final say in those decisions. In fact, nearly 75 per cent stated they are also regularly getting involved in their organization’s information technology cybersecurity strategies.
Cybersecurity has become core to the OT lead’s job description. Perhaps not surprisingly, 61 per cent of respondents revealed they expect their chief information security officer (CISO) to take on all OT security responsibilities over the next 12 months.
The trend here is clear. The lines that used to separate IT and OT continue to blur as both play a critical role in ensuring business continuity across their organizations.
Measurement and analysis were also flagged as a big challenge. The report revealed that organizations are tracking some security elements well, most notably security vulnerabilities (64 per cent) and intrusions (57 per cent).
Conversely, fewer than half said they are sharing the outcomes of their risk management efforts, or taking steps to ensure executive leadership have a view into basic cybersecurity data. That represents a significant lack of transparency.
Perhaps most troubling is that only eight per cent of respondents experienced zero security intrusions over the previous 12 months. Ninety per cent indicated they dealt with a single breach, with 72 per cent reporting three or more attributed to cyber-based attacks.
These attacks are consistently costly as more than half of the OT teams surveyed said they resulted in lost productivity. Meanwhile, 39 per cent admitted that physical safety was a real risk, and a smaller percentage revealed actual operational outages that directly affected revenue.
Report reveals best practices
To delineate contrasting actionable insights, the 2020 report divided respondents into two distinct groups – the eight per cent who recorded no intrusions, and the eight per cent who experienced 10 or more breaches.
The point is to identify the behaviours that could be useful in recognizing why some OT teams performed at a top-tier level. Sure enough, some interesting trends became quickly apparent.
First, the best performers were also the best at sharing actionable intelligence.
Top-tier organizations were 133 per cent more likely to track and report on any vulnerabilities they found and blocked, and were four times as likely to ensure their OT activities were made visible to their IT security teams. Clearly, implementing robust measurement and reporting directly leads to positive security outcomes across the organization.
Team structure and accountability also plays a key role. Top-tier firms were twice as likely as bottom-tier respondents to have a CISO responsible for OT security.
What’s also interesting: top-tier OT leaders were 25 per cent more likely to be measured by their response times to security vulnerabilities.
Likewise, a similar number of respondents implied they reported their compliance with industry regulations to executive leadership. Taking ownership appears to pay dividends.
Despite their best efforts, OT leaders are largely falling behind when it comes to implementing comprehensive best cybersecurity practices.
While every OT organization faces unique challenges, OT leaders who commit to identifying security gaps and adopting best practices will eventually realize a more robust and proactive cybersecurity defense.
Such strategic commitment translates to increased confidence and trust that highly valued cyber-physical assets are continuously protected.
Rick Peters is chief information security officer, operational technology, North America at Fortinet.
This article originally appeared in the October 2020 issue of Manufacturing AUTOMATION. Read the digital edition.