OT environments continue to face cybersecurity challenges, some of which were exacerbated by the shift to working from home due to COVID-19 pandemic, Fortinet identified in its latest report on the sector. The pandemic also accelerated IT-OT network convergence for most organizations, accelerating digital transformation, putting organizations years ahead of where they would have expected to be at this point.
The momentum for IT-OT network convergence was already happening before the pandemic, but the effects of the pandemic accelerated digital transformation and increased the need for connectivity, Fortinet said in its ‘2021 The State of Operational Technology and Cybersecurity’ report. OT (operational technology) cybersecurity issues are reported to senior/executive leadership fairly evenly, although the results of penetration/ intrusion tests are not shared quite as much as the other issues.
“Really significant that the attackers – the bad guys – have caught on to the fact that OT is out there and it is critical, it is crucial to companies and they realize that they can really make money on ransomware, for being able to shutdown the companies’ production lines, because that’s the heart of their business,” said Joe Robertson, Fortinet’s director of information security and EMEA CISO said in a Fortinet Live online discussion on Tuesday.
“Although OT is more and more targeted, almost all of the attacks on OT are coming from the IT side originally, and they are getting through into that OT network because OT networks are not air-gapped anymore,” Robertson added. “Even OT networks that people think are air-gapped, there is usually some connection that no one’s noticed.”
Agreeing with him, Rick Peters, Fortinet’s CISO Operational Technology for North America said that it is almost impossible to think about being omnipresent.
In 2021, Fortinet noticed a change in respondents away from the manager of manufacturing to more VP and director level executives. The responsibility for OT environments is shifting away from VP or Director of network engineering to CISOs and CIOs. Additionally, there were more SOCs (security operations centers) and significantly more NOCs (network operations centers) in place in 2021 than in the prior year.
Robertson said that CISO, or a security organization of some ilk, is taking over responsibility for security in OT, and termed that as ‘great news.’
“The big thing that I’m seeing is that most companies have figured out that they have got to have a separation between the IT and the OT,” he added. “They put in place a DMZ in Purdue Model terms – Layer 3.5. And they have pretty much understood that. What they haven’t yet been doing a lot of is going that one step further. Going down in the layers and starting to microsegment.”
The Fortinet data is based on a survey conducted for a week in February, using questions similar to those asked in similar surveys in 2019 and 2020. Respondents work at companies involved in four industries: manufacturing, energy and utilities, healthcare, and transportation. All are responsible for some aspect of manufacturing or plant operations and occupied job grades ranging from manager to vice president. The study utilizes data from the survey to paint a picture of how operations professionals interact with cybersecurity in their daily work.
Employees were also required to work from home, while OEMs and system integrators were hampered by their inability to travel to service equipment, Fortinet observed in its report. These two separate issues both affected technology budgets. SOCs and NOCs needed more staff and equipment because the pandemic accelerated digital transformation and increased the need for connectivity for secure remote access. Employees needing to work from home and OEMs and system integrators were hampered by their inability to travel, it added.
Nine out of 10 organizations experienced at least one intrusion in the past year, which is almost identical to the results of last year’s survey, Fortinet said. Even though the pandemic was an unusual situation, a 90 percent rate of intrusion represents a significant problem that should concern OT leaders. There was a significant change in insider breach instances, which have increased to 42 percent.
Some organizations had to increase their technology budgets to accommodate the move to remote work, which led many industrial companies to look for new ways to streamline processes and reduce costs, according to Fortinet.
The survey showed significant growth in phishing attacks with 58 percent reporting this type of intrusion, up from 43 percent last year. The increase in phishing stems from attackers exploiting weaknesses related to the rapid changes to working that occurred at the beginning of 2020. No one was immune, and along with everyone else, OT environments were also affected.
Peters sees the road ahead as exciting for OT systems owners. “I think there is a lot of promise, I think we are seeing changes that allow us to be transparent, scalable and fast, and we know all of those elements are part and parcel of how you are going to protect the OT leader, not just in 2021, but in the next decade because you are looking for a long-term, fool-proof way that they can trust.”
The demand for resiliency that is achieved from implementing cybersecurity best practices has gained amplified interest over the past 12 months. Despite that interest, the 2021 report indicates that OT leaders continue to struggle. Increased digital connectivity of OT and IT networks rolls on, yet in this year’s survey 7 percent of OT leaders reported no intrusions. “It’s clear that many organizations face challenges when it comes to security practices and ultimately protecting their infrastructure from today’s increasingly sophisticated cyber threats,” according to the Fortinet blog post.
Top-tier OT organizations are realizing cybersecurity success and managing to weather the unusual situation brought on by the pandemic and the corresponding rapid innovation. Risks continue to be high in companies that are charged with protecting OT environments, holding steady from last year. The results are not as bad as they could be considering the coincidence of a global pandemic. If nothing else, the past year has reflected how important it is for organizations to continue proportional investment in security.