Cybersecurity company Fortinet conducted a survey with Forrester Consulting to examine security trends affecting ICS and those who manage and maintain critical infrastructure, including industrial control systems (ICS) and supervisory control and data acquisition (SCADA) systems.
The two vendors investigated the growing trend of operational technology (OT) systems being connected to the internet, leading to an increase of both recycled IT-based attacks and purpose-built OT exploits. Hackers are increasingly becoming more sophisticated with their cyberattacks, making them more likely to succeed at organizations without strong defenses. Attacks on critical infrastructure can result in financial loss, a risk to brand reputation, and sometimes even loss of life or threats to national security.
Integration of IT/OT systems has led to several security challenges such as expanded attack surfaces, legacy systems whose security features were designed for a disconnected infrastructure, poor visibility into systems, and poor network segmentation, Fortinet said.
The report identified four trends affecting ICS, as organizations are moving more deliberately than expected in the convergence of IT and OT systems to ensure the security of critical infrastructure, critical infrastructure professionals have many security concerns, including emerging risks from Internet of Things (IoT) devices and ongoing and growing priorities centered on compliance, a typical organization has not deployed a strategic, integrated approach to OT security, instead deploying multiple technical point solutions on different timelines, and in some cases, relying on one or more third parties to cover specific aspects of security, and organizations tend to find themselves stuck in a reactive stance toward security, and as a result, the vast majority have suffered breaches in their ICS and SCADA systems—many as recently as the past 12 months.
Forrester conducted a quantitative survey of more than 400 professionals from around the world, who are responsible for the protection of critical infrastructure, internet protocol (IP)-level security, or security for SCADA systems or IoT devices. Forrester conducted studies earlier on security trends affecting ICS and similar topics, in 2016 and 2018, and this report makes note of shifts that have occurred since the earlier study.
Respondents work in job grades ranging from manager to C-level executives, working across distributed critical infrastructure sites, such as those involved in manufacturing, telecommunications, and energy production and distribution.
About 10 percent of respondents said that they had never experienced a data breach, while 58 percent of organizations reported having experienced this type of threat in the past 12 months, according to data released by the Fortinet-Forrester survey. Over 75 percent expect regulatory pressure to increase over the next two years. By expanding the period of consideration to 24 months, Fortinet found that OT system breach rates rose to 80 percent, showcasing the growing interest among cybercriminals to target OT systems.
Considering the high number of OT breaches, about 78 percent of organizations surveyed plan to increase their ICS/SCADA security budgets this year to combat these threats.
With the shift toward IT-OT convergence and the pursuit toward operational efficiency, connectivity and exposure to more traditional IT threats have increased, Fortinet said. The proportional expansion of the attack surface has led cybercriminals to readily gain access to systems that were once isolated.
When surveyed, around 96 percent of respondents, expect to face challenges as they move toward convergence, resulting in greater attention devoted to security concerns. Regulation compliance, in particular, is a common concern. Seven in ten survey respondents report that they have experienced mounting compliance pressures over the past year, and 78 percent expect this trend to continue for the next two years.
Business partners can also lead to an additional dimension of risk for OT enterprises. Although granting essential privileged access to key designated personnel is critical, minimizing control access is equally important. This is reinforced by the fact that organizations most successful at securing their environments were also 129 percent more likely to severely limit or even deny access to partners. Successful organizations were found to grant only moderate access to their systems. These same organizations were 45 percent more likely to carry out critical security functions in-house as opposed to outsourcing this responsibility.
Survey respondents were also examined about different aspects of OT security, making it clear that many are taking a fragmented approach. Security measures currently in use at organizations ranged from 52 percent for SSH (Secure Shell) or TLS (Transport Layer Security) encryption to 74 percent for security analytics, Fortinet said. With encryption currently employed at barely half of organizations, it is not surprising that 30 percent of organizations plan to deploy it over the next year—the second most common new project behind Privileged Identity Management (PIM) technology at 31 percent.
Present initiatives to bolster security are in response to a threat landscape for OT systems that is increasingly advanced and ominous. When asked what factors contributed to their current ICS/SCADA security strategy, there is more concern this year than in 2018 regarding both typical cybercriminals accounting for 75 percent compared to 62 percent previously, and threat of nation-state actors recording 66 percent compared to 62 percent earlier.
One-third of organizations outsource their OT infrastructure, compared with 27 percent in 2018, according to Fortinet. But the percentage of organizations that outsource aspects of their OT security remained steady, marginally declining from 35 percent to 34 percent. Among those who do outsource some security functions, intrusion prevention system (IPS), wireless security, and IoT security are the most common. Nearly two-thirds of organizations give complete or very high access to IT providers, while solid majorities give similar access to business partners (59 percent) and government agencies (53 percent).
Considering the impact that a cyberattack can have on OT networks, security teams can accomplish OT offering integration at the core by employing a next-generation firewall (NGFW) offering, capable of accommodating environmental challenges, while using purpose-built features like compact SD-WAN solution functionality designed for OT environments, Fortinet said. A robust NGFW delivers enterprise architecture protection for the entire converged IT-OT network, while eliminating potential OT security gaps that cyber criminals are seeking to exploit, it added.