Critical infrastructure under attack, as OT organizations struggle to secure frameworks, Barracuda reports
New research from Barracuda finds that organizations are struggling to protect operational technology (OT) as attacks are widespread, and are getting breached as a result. Insecure remote access, lack of network segmentation, and insufficient automation are leaving organizations open to attacks. The disclosure puts critical infrastructure under attack, as businesses face some significant challenges as the geopolitical landscape becomes increasingly tense.
Moreover, 94 percent of organizations surveyed acknowledged a security incident in the last year while 89 percent of respondents are very or fairly concerned about the impact that the current threat landscape and the geopolitical situation will have on their organizations, while breaches are impacting operations.
“This report shows nearly all — 94% — of organizations have experienced at least one security incident, which likely impacted their industrial IoT infrastructure,” Barracuda said in its latest report, titled ‘The state of industrial security in 2022.’ “These incidents had significant impact on organizations, with 87% of them reporting their operations were impacted for one day or more. The incidents involved a wide range of attacks, with web application, malicious external hardware/removable media, and distributed denial of service attacks being the most frequent,” it added.
Barracuda commissioned independent market researcher Vanson Bourne to conduct a global survey of senior IT managers, senior IT security managers, and project managers responsible for IIoT/OT in their organization. There were 800 survey participants from a broad range of industries, including agriculture, biotechnology, construction, energy, government, healthcare, manufacturing, retail, telecommunications, wholesale, and others.
Survey participants were from the U.S., Europe, and Australia. In Europe, respondents were from the United Kingdom, France, Germany, Austria, Switzerland, Belgium, the Netherlands, Luxembourg, Denmark, Finland, Norway, and Sweden. The survey was fielded in April 2022.
“Several factors — including security incidents — are driving awareness and improvements. There’s certainly plenty of room for both, considering more than 90 percent of organizations surveyed acknowledged experiencing a security incident in the last 12 months,” according to the Barracuda report. The report takes an in-depth look at IIoT/OT security projects, implementation challenges, security incidents, technology investments, and a variety of issues related to cybersecurity risks.
Barracuda also said that the “respondents are also concerned about the impact that the current threat landscape and geopolitical situation could have on their organizations. While that largely sits outside an organization’s control, it impacts them in some shape or form and is a concern.”
Businesses are experiencing failures as 93 percent have failed in their IIoT/OT security projects. Additionally, effective IIoT security implementations are making an impact. For organizations with completed IIoT and OT security projects, 75 percent have experienced no impact at all from a major incident.
Barracuda reports that IIoT and OT security continue to be major targets for attackers, but there is hope for businesses that take a proactive approach. “Businesses should implement tools to combat these challenges, including the use of secure endpoint connectivity devices and ruggedized network firewalls, all centrally deployed and managed via a secure cloud service that can enable effective network segmentation and advanced threat protection, provide multifactor authentication, and even implement Zero Trust Access,” it added.
Organizations across the board have acknowledged the importance of investing even further in IIoT and OT security, with 96 percent of business leaders noting that their organization needs to increase their investment in industrial security, Barracuda reports.
“Web applications and APIs are popular attack vectors. In the future, as automation increases, APIs will be a bigger target for attacks. APIs and management interfaces, which are not intended for public access, need robust protection and should never be exposed,” according to the report. “The issues with malicious external hardware and removable media, like USB sticks, were ranked surprisingly high. IoT/OT environments require temporary third-party access for maintenance as well as troubleshooting. The high ranking of compromised remote access shows the urgency for getting this fixed,” it added.
Barracuda also found that organizations with more devices experience more attacks, especially in the top attack categories. Interestingly, ransomware attacks are more evenly distributed across organizations with differing numbers of devices. “The high level of incidents underscores the vital need for IIoT/OT security to adequately protect all organizations. This is probably why 96% agree their organization needs to invest more in the security of IIoT and OT,” it added.
Across some critical sectors, organizations experienced fewer incidents. “In biotechnology, chemicals, and pharmaceuticals, nearly 20% had no incidents in the last 12 months. In energy, power, and utilities, 15% had no incidents in the last 12 months,” the report said.
“A full 72% of organizations signaled that they have either already implemented or are in the process of implementing IIoT/OT security projects, but many are facing significant challenges when it comes to implementation, including basic cyber hygiene,” it added.
Effective IIoT security implementations are making an impact. For organizations with completed IIoT and OT security projects, 75 percent have experienced no impact at all from a major incident.
Critical infrastructure organizations are leading with implementation, and 50 percent of oil and gas organizations have completed projects. Manufacturing and healthcare lag behind, with only 24 percent in manufacturing and 17 percent in healthcare having completed projects.
Barracuda reports that most organizations, 94 percent, have experienced some sort of security incident in the last 12 months, which is a surprising and alarmingly high number. All government, mining and metals, and oil and gas respondents say they’ve experienced at least one incident. “Given the critical nature of some of these sectors, it’s essential they bolster security to avoid disastrous impacts,” the report added.
Furthermore, 87 percent of organizations that experienced an incident were impacted between one and five days. On average, it took organizations 1.84 days to resolve the issue.
Adoption of multifactor authentication (MFA) use is low, with only 18 percent of companies surveyed restricting network access and enforcing MFA when it comes to remote access to OT networks. Low MFA use is prevalent even in critical industries, as critical verticals like energy recording 47 percent, allow full remote access without MFA for external users.
Availability of skills also has an impact, as less than half of organizations surveyed can handle applying security updates themselves. Furthermore, manual updates are cumbersome, affecting organizations that are hit the worst when security updates are not automatic.
While the good news is the majority of organizations are already implementing or planning IIoT/OT security projects, the even better news is organizations that didn’t experience an impact are more likely to have already completed some IIoT/OT security projects, so these projects seem to be effective, Barracuda reports. There are many challenges, however, in successfully implementing IIoT/OT security, including long implementation times and high costs. In fact, 93 percent of organizations had a failed project on their journey to IIoT/OT security.
Barracuda identified that some of the areas that require attention are the lack of network segmentation, reactive rather than proactive security updates, and insufficient automation. One area that requires urgent attention is remote access security. While most organizations allow both internal and external users access to their OT environments, roughly a quarter are not requiring multifactor authentication, leaving organizations wide open to attacks.
“Fortunately, effective solutions to IIoT security challenges are available, including secure endpoint connectivity devices and ruggedized network firewalls, all centrally deployed and managed via a secure cloud service,” the report said. “These solutions can enable effective network segmentation and advanced threat protection, provide multifactor authentication, and even implement Zero Trust Access. In addition, web application firewall services can be deployed to protect the infrastructure from web application and DDoS attacks,” it added.
Related
