A lack of visibility into the attack surface, inadequate security staffing and reliance on manual processes undermine operational technology (OT) sector organizations’ stated requirements to protect OT and IoT infrastructure from downtime, a new report found.
There are manufacturers out there that say they have never been hit by a cyber attack, however 90 percent of OT organizations represented in this study experienced at least one damaging cyberattack over the past two years and 62 percent have had two or more, according to the report sponsored by Tenable and conducted by Ponemon Institute. These attacks have resulted in data breaches and/or significant disruption and downtime to business operations, plants and operational equipment.
This report is based on Tenable’s analysis of a subset of 701 respondents from Measuring & Managing the Cyber Risks to Business Operations whose organizations fall into the OT sector – defined as industries dependent upon industrial control systems (ICSs) and other operational technology. All respondents in the study are involved in their organizations’ evaluation and/or management of investments in IT and/or OT cybersecurity solutions. The reason for that is today’s operational systems rely on OT and IT assets.
The following summarizes the key findings:
1. Cyberattacks are relentless and continuous against OT environments. Most organizations in the OT sector have experienced multiple cyberattacks causing data breaches and/or significant disruption and downtime to business operations, plants and operational equipment. Many have suffered from nation-state attacks.
2. The C-level is heavily involved in the evaluation of cyber risk. C-level technology, security and risk officers are most involved in the evaluation of cyber risk as part of their organization’s business risk management.
3. Nearly half of organizations attempt to quantify risk from cyber events. 48 percent of organizations in the OT sector (vs 38 percent in the non-OT sector) attempt to quantify the damage a cyber event could have on their business – and they’re most likely to quantify the impact based on downtime of OT systems.
4. OT sector organizations expect significant threats in 2019. Concerns about third parties misusing or sharing confidential information and OT attacks resulting in downtime to plant and/or operational equipment increase when looking at 2019. Worries about nation-state attacks continue at a significant level.
5. 2019 governance priorities vary. Increasing communication with the C-suite and board of directors about cybersecurity threats facing the organization and ensuring third parties have appropriate security practices to protect sensitive and confidential data are top priorities for 2019.
6. 2019 security priorities address sophisticated threats. The top 2019 security priority is to improve the ability to keep up with the sophistication and stealth of attackers. This isn’t surprising given the significant number of OT sector organizations that have suffered a nation-state attack in the past 24 months.
7. Organizations are challenged to improve cybersecurity. Few organizations have sufficient visibility into their attack surface. Gaining required visibility will continue to be a challenge due to a combination of staff shortages and heavy reliance on manual processes.