Last month cybersecurity company Fortinet released it’s 2020 State of Operational Technology and Cybersecurity report. According to the report, within the last year, the majority of organizations experienced at least three operational technology system intrusions.
“The 2020 State of Operational Technology and Cybersecurity Report from Fortinet finds that operational technology (OT) leaders are highly respected in their organizations, and that their teams are vital to their companies’ bottom lines. Cybersecurity continues to be an integral part of their daily work—and that work continues to be a struggle,” the report says. “In fact, an April 2020 survey of OT leaders conducted by Fortinet indicates that, as a whole, organizations are moving in the wrong direction in terms of outcomes.”
Fortinet surveyed operations professionals in manufacturing, energy and utilities, healthcare, and transportation. Sixty-five percent of respondents said they experienced at least three OT system intrusions within the past year. That’s an 18 percent increase from last year. Additionally, nine out of 10 organizations said they saw at least one intrusion. Only 8 percent of respondents had seen no system intrusions over the past 12 months, a decline of 18 percentage points compared with respondents to a similar survey a year ago.
“These intrusions often impacted operational efficiency, revenue, and even physical safety,” the report says. “A number of factors may play into this decline. OT systems are losing their air gaps and becoming increasingly interconnected with IT systems and the internet. Enterprise networks are becoming more complex, making holistic protection more difficult. And threat actors are using increasingly sophisticated tactics. But the research also shows a significant percentage of organizations have not extended some elements of basic security hygiene into their OT environments.”
The report also looks at cybersecurity spending. Fifty-eight percent of organizations are seeing their budgets increase in 2020, but only 13 percent expect to see a dramatic increase. And 15 percent of organizations are actually seeing their security budgets decrease. That’s an increase of 10 percent from the year before.
“While some organizations are managing the cybersecurity of their OT systems with considerable success, many more are struggling. This is clearly illustrated in the 19% decline in the percentage of organizations with no intrusions in their OT systems compared with last year,” the report says. “The nature of the challenge is unique at each organization. Some are challenged by staffing—either a lack of people or inadequately trained team members. Some are challenged by inadequate tools to handle threats and vulnerabilities. Some are challenged by the cost of providing these things. Many are challenged by the frequency and number of threats and by the time required to maintain adequate security to manage them. All but a few had at least one intrusion in the past year, with many having more than one.”
Fortinet’s report identifies best practices for avoiding system intrusions. These include assigning OT cybersecurity responsibilities to the CISO, tracking and reporting basic cybersecurity metrics, being involved in cybersecurity purchase decisions, having OT activities be centrally visible, and increasing security budgets.
“We compared the practices of respondents who had seen no intrusions in the past year with those who had 10 or more intrusions, and found that ‘top-tier’ OT leaders were significantly more likely to adhere to a number of best practices,” the report says. “These best practices reflect a holistic approach to cybersecurity that enables OT leaders to keep up with industry changes, reduce time and increase productivity, and provide the best protection against threats and vulnerabilities.”
According to the report, top-tier organizations are four times as likely to have centralized visibility in security operations centers. And, they are 133 percent more likely to track and report vulnerabilities found and blocked.
Fortinet also found that 44 percent of respondents do not track and report compliance with industry regulations. That same number of respondents do not track and report compliance with security standards.
Additionally, 65 percent of OT leaders are responsible for embedding security within ops processes, while 78 percent have placed OT security under the CISO, or will do so in the next year.
“Those following the specific best practices identified in this report tended to see significantly fewer intrusions,” the report says. “These recommendations are not earth-shattering. Rather, they consist of many of the basic practices of security hygiene—taking a proactive approach to security, working toward centralized visibility and control, and tracking and reporting basic cybersecurity metrics. As OT systems lose their air gaps and become integrated with IT systems and with the internet, OT leaders will need to reinforce security awareness on their teams and bolster their systems with adequate security protection.”