OTORIO-ServiceNow survey throws light on state of industrial OT cyber security, detects mindset shift

OTORIO, a manufacturer of OT cyber and digital risk management solutions, and ServiceNow announced survey results on Tuesday, revealing that OT has become a key component of critical infrastructure and industrial manufacturing, including power grids, transportation networks, and manufacturing facilities. The OTORIO-ServiceNow survey also identifies a definitive shift in OT cybersecurity strategy mindset from visibility (reactive approach) to risk management (preventative approach), indicating that 2023 and 2024 will be pivotal for operational security and critical infrastructure. 

The OTORIO-ServiceNow survey acknowledges that with the increasing adoption of the Industrial Internet of Things (IIoT) and other Industry 4.0 technologies, the connectivity and interdependence of OT systems have grown exponentially, providing significant benefits to organizations but also increasing the risk of cyber threats. It also found an increasing concern for ensuring safe and resilient operations while organizations work to implement more effective OT security strategies. 

Conducted across 200 C-level executives and directors in the U.S. and Canada to identify key OT cybersecurity challenges and priorities, the survey reveals that most critical infrastructure organizations and manufacturers believe that they are at a high risk of OT cybersecurity attacks. It also revealed that with the impact of the challenges posed by OT cyber threats, senior leaders are defining and implementing strategies that involve a combination of technology solutions, policies, procedures, and training. 

Addressing the potential measures these operations could adopt to fend off adversarial threats and attacks, Daniel Bren, CEO and co-founder at OTORIO told Industrial Cyber that one of the prevailing steps is to leverage multiple existing tools to gain a holistic view of the enterprise. “By sharing, integrating, and analyzing data from multiple sources, customers gain deeper, contextualized insights about the risks to their environment. The next step is prioritizing and filtering your risks based on known vulnerabilities.”  

Bren added that independently, most security solutions are noisy, and it is easy to get overwhelmed by or desensitized to the alerts they provide. “Filtering these alerts down to the ones that matter enables customers to apply attention and resources to the alerts that pose real and severe threats.”

Karan Shrivastava, director of product management at ServiceNow told Industrial Cyber that “to us, an ounce of prevention is worth a pound of cure. What we mean by that is to the left of an attack (before an attack happens), if an industrial company can discover all the OT assets they own, understand the vulnerabilities associated with these assets and respond rapidly to patch these vulnerabilities – that will go a long way in fending off threats and attacks,” he added.

The OTORIO-ServiceNow survey disclosed that 58 percent of organizations consider the level of OT cybersecurity risk to be ‘high’ or ‘critical.’ There has been a rise in OT security threats in 2021-2022 from various groups, including hacktivists, state-backed APTs, and cyber criminals. Decision-makers recognize the pressing need for improved OT security measures leading to a shift in how they are looking to manage risk moving forward. But with 81 percent of organizations managing their OT risk reactively rather than proactively, their inactivity is concerning because it leaves their systems exposed to disruption or compromise that could have serious consequences for public safety and national security

The survey also revealed that only 31 percent of organizations currently have an OT/ICS security strategy in place, while 47 percent do not have an OT cyber security solution. Additionally, the survey said that 50 percent had established a team to develop a strategy, but only 47% of the companies surveyed have an OT cybersecurity solution in place, indicating there’s a gap between where companies want to be and where they are in terms of having a cyber security solution. 

“Concern is clearly growing due to the high level of risk, inefficient solutions, and increased regulations that put more accountability of OT security risk on software developers and critical infrastructure operators,” the OTORIO-ServiceNow survey revealed. “However, the survey also shows there is still work to be done to ensure that all organizations are adequately protected against cyber threats to their operational networks. This finding is a wakeup call for companies who aren’t already doing so, to take strategic steps towards a proactive cyber security solution.”

Addressing what is holding these organizations back from developing an OT security strategy, as industrial cyber insurance premiums are rising, Bren said that the demands of the OT world are fundamentally different from those of IT. “There is a complex mix of stakeholders and a clash between historical OT practices and the demands of the current security landscape.” 

Pointing out that the automation industry is also at a crossroads, Bren added that the digital transformation of the enterprise has driven the interconnection of customer relationship management systems, supply chain procurement systems, manufacturing resource planning systems, and customer engagement systems. “Many enterprises are beginning to realize that they need to make changes and improve processes along the way.” 

“In many cases, decision-making authority exists at the facility level, and the economic realities of the business make alignment on a single strategy difficult,” according to Bren. “In addition, the acknowledgment that this is an at-risk area for which a strategy is warranted clashes with the traditional priorities of the organization.” 

Finally, the governance and regulatory landscapes are rapidly evolving, and it is not often clear what ‘good’ or ‘compliant’ looks like, not to mention the costs associated with achieving a certain level of compliance, Bren said. “All these factors combine to add friction to what is already a difficult and time-consuming process. So, unless there is an immediate, significant financial risk to the organization, these hard discussions get avoided or delayed at the expense of security.”

Shrivastava assesses that part of the answer is cultural. “Since OT management is newer, many of the teams are being staffed from the IT world. This creates a situation where IT experts need to learn the idiosyncrasies of OT before they can credibly formulate a strategy. Then there is the education aspect where they need to learn about the solutions that are available as well,” he added. 

When looking at securing operational environments, the OTORIO-ServiceNow survey showed there is a difference in priorities between the IT and OT departments despite a shared goal to manage and mitigate risk: OT is risk-focused, whereas IT is visibility focused. “50% of those who identified their main challenge as “not prioritizing risk alerts based on their business impact” were operations department stakeholders, most likely because their existing OT/ICS security solutions have limited effectiveness and they are working reactively (post-breach) to threats,” it added. 

The OTORIO-ServiceNow survey also revealed that OT security teams are therefore looking to be more risk-focused and proactive in actually stopping these threats preemptively, while IT departments are more concerned with automation, visibility, and alert fatigue. Given the differences between OT and IT security teams, it makes sense that their key challenges are different, and the survey’s findings confirmed it. The survey also points out that these critical gaps in OT security strategies highlight the need for an integrated and automated approach. 

“Enterprises are addressing crucial gaps in OT security programs by first taking time to understand the problems that have come with the digital transformation of their systems and processes,” Bren explains. “For many, the default answer is to replicate what they have in the IT space, with all of the acknowledged limitations to that approach. Another option is to adopt a crawl, walk, run approach focusing on visibility as a first step to a long-term strategic process. Actions like patching and blocking are untenable in the OT space, however, very few commercial entities are actually focused on proactively managing risk. Enterprises must make disciplined, informed decisions based on managing risks.” 

Executives need to take a systematic approach to OT security that brings people, processes, and culture together to help address business risk across the enterprise, Bren reveals. “The OTORIO platform provides a holistic understanding of these risks and guides enterprises with detailed mitigation playbooks to reduce risks prior to the occurrence of an incident. This unique approach offers customers a value-based solution that enables them to manage risk in advance rather than reacting (pulling the cables) when an incident occurs.”

Shrivastava identifies two major forces – a high degree of interdependence between devices and manual processes to create asset inventories and mitigate vulnerabilities. “This is time-consuming, labor intensive, and not actionable. Then there is the IT/OT convergence story. People can apply IT best practices to OT situations in order to overcome some of these drawbacks. These can include things like the automatic creation of an asset inventory or having a single pane of glass through which you manage your IT and OT assets,” he added.

Essentially, OTORIO is a discovery source and ServiceNow is a system of action, according to Shrivastava.

The OTORIO-ServiceNow survey also found that 81 percent of respondents manage OT risks by performing manual, on-demand risk reduction activities, periodically or only after an incident occurs, confirming the prevalence of the ‘reactive approach’ to cyber security. “A concerning number of companies are using a reactive, manual approach that is time/resource consuming and ineffective. It doesn’t protect them or limit the damage, leaving them open to downtime and financial loss, which is unacceptable for most companies because the consequences are far-reaching, affecting supply chains and business continuity.” 

However, the OTORIO-ServiceNow survey says that there seems to be a shift toward automation. More companies are looking to leverage automated tools to proactively reduce risk levels so they can identify vulnerabilities and eliminate them before they become risks.

The OTORIO-ServiceNow results also found that 78 percent of stakeholders are planning on increasing their OT security budget in 2023, on average by 29 percent, marking a significant increase, given the global economic slowdown and budget slashes. “The increase clearly shows how important the issue of protecting OT assets is to the survey’s respondents and reinforces their need to close the gap, by using the increased budget to realize the strategies and implement solutions. Companies that are looking to reduce spending should take care not to do it at the expense of security, as it may lead to greater financial loss and could damage business continuity,” it added.

In February, OTORIO disclosed the presence of wireless IIoT vulnerabilities that provide a direct path to internal OT networks, enabling hackers to bypass the common protection layers in the environments. The research found 38 vulnerabilities in hardware from four vendors, all of which OTORIO examined, some of them under a responsible disclosure process, making this a widespread issue.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.