Industrial cybersecurity company Applied Risk released it’s annual report looking at the state of industrial cybersecurity. The report includes a number of insights on operational technology security from Applied Risk’s work with clients around the world and findings from the company’s research teams from January 2019 until July 2020.
“Though COVID-19 has impacted our ways of working, the trends affecting OT security have not significantly changed in themselves, but there were rather changes in direction and degree of these trends,” the report says. “This report identifies and analyses a few key trends and presents some insight as to their causes, effects and future implications. Some of these trends overlap or continue from previous years. However, the skills shortage is considered the overarching trend: without adequate skill sets it will be almost impossible for organisations to manage and maintain an effective OT security posture.”
The State of Industrial Cybersecurity 2020 report looks at the impact the COVID-19 pandemic has had on OT environments.
“For those industries hardest hit, difficult decisions have had to be made with often far-reaching consequences for employees, industry supply chains and consumers alike. Faced with the priority of cash flow preservation, many new projects that involve significant Operational Technology (OT) investment have been put on hold or cancelled altogether. Other organisations have had to accelerate their OT resilience plans, but on reduced budgets,” the report says. “Within the hardest hit industries, existing business operation headcounts are being reduced to cut down costs, often leaving skillset gaps and voids within teams tasked with protecting the availability and integrity of OT systems. While industry continues to face up to the challenges of adapting to the ‘new normal’, cybercriminals have seen opportunities to exploit, profit and cause harm.”
Like most of the world, the OT domain has seen an increase in remote access. Applied Risk researchers also noted an increase in IT/OT integration and cloud adoption in OT.
“With a big increase in OT system remote user access and operations, security considerations and safety implications have had to be considered against business continuity needs. For those organisations not able to scale-up secure remote user access to their OT systems, compromises have ultimately had to be made, inevitably increasing risk exposure,” the report says. “Asset owners and operators are having to adapt to a COVID-19 risk landscape that highlights the importance of “Situational Awareness”. Therefore, they are moving towards situation aware, agile and responsive operations, taking more preventative security decisions and taking effective action ahead of time, rather than reacting after an event has occurred.”
Applied Risk has noted an increase in mergers and acquisitions in the OT security market along with an increase in focus on maintaining core operations while still improving OT security performance. Researchers also noted that while investment in OT security increased in some sectors, it decreased in others.
“The convergence of traditional IT being used within the OT domain has led to a natural progression of traditional IT or OEM companies acquiring OT focused cyber security companies,” the report says. “The main drivers are to expand their solution portfolio offerings to their customers or to acquire OT dependent customers. This trend of big companies acquiring OT security companies will continue as they need to expand their solution offerings and because IT companies need to meet the demands of and remain relevant to their OT customers. Mergers and acquisitions between organisations that offer strengths in IT and OT capabilities make strategic sense, as this enables them to offer “one-stop shops” catering for both cyber security products and consulting services in both OT and IT environments.”
Additionally, the State of Industrial Cybersecurity 2020 report indicates continued strengthening of OT security laws and regulations, increased complexity in cyber insurance products, and growth in the use of undocumented applications and “Shadow OT.” All the while, Applied Risk says the shortage in OT security skills continues.
“Applied Risk’s assessment of the state of OT security for 2019 and first half of 2020 leads to the conclusion that the main challenges observed in the field continue to stem from deficiencies in governance,” the report says. “Clear ownership must be properly defined in order to drive all the OT security improvements in the organisation within a strategic framework and maintain such commitment over the long term. Equally important are the business goals and the organisation’s vision of OT security.”