Cybellum report on industrial device security reveals lack of maturity, budget reluctance among manufacturers

New data released by Cybellum disclosed that in the realm of industrial device manufacturers, device security programs, or product security programs, are revealed to be largely immature. Survey results also showed that efficiency emerges as the top device security challenge, continuously managing product security amidst evolving technologies is a major challenge, with increasing compliance with regulations emerging as a top priority. It also disclosed a limited focus on software supply chain security, while manufacturers hesitate to increase product security budgets despite recognition of challenges.

In its report titled ‘‘2023 Industrial Device Security Survey,’ Cybellum identified that a significant majority of respondents (98 percent) recognize the importance of device security for OT (operational technology) network security. “They believe that strong OT network security relies on robust product security measures. What is noteworthy is that among those who perceive the importance of device security for OT network security, a substantial portion (81%) have increased their device security budget in 2023 compared to the previous year.” 

The survey highlights the clear understanding among security professionals that device security plays a vital role in overall industrial network security. It indicates a willingness to invest financial resources in enhancing device security measures.

The Cybellum survey, conducted in the first half of 2023, targeted 200 full-time employees across industrial device manufacturers serving the energy, food and beverage, transportation, water and wastewater systems, and chemicals sectors. These companies are in the U.S., Germany, the U.K., France, Switzerland, Sweden, Italy, Japan, China, and South Korea. Respondents typically included managers and higher-level executives involved in developing software-driven industrial automation equipment, industrial control systems, SCADA (supervisory control and data acquisition) equipment, and other software-driven machinery.

Commenting on the key shockers of the Cybellum report, Slava Bronfman, CEO of Cybellum told Industrial Cyber that the lack of maturity of device security programs at industrial equipment manufacturers – only 30 percent of respondents believe their organizations possess a mature enough device security program. “Given all the cyber attacks going on out there, along with the growing regulatory pressure, I was expecting to see more investment in this space and greater confidence in the quality of device security programs. It seems we are not there yet…,” he added.

“Partially related to that, I found the lack of clear organizational ownership for device/product security a disturbing point,” Bronfman added. “If you don’t have a dedicated executive sponsor for such an important aspect of your business, how could you improve over time? Our survey found that ~50% of respondents did not have a dedicated exec responsible for product security (sometimes it was managed by the CEO or CTO or other senior execs, on top of their other responsibilities…).”

Finally, despite recent vulnerabilities underscoring the supply chain challenges associated with open source and commercial software used in industrial machinery, equipment manufacturers don’t seem to prioritize software supply chain security, Bronfman highlighted. “Only 24% of respondents mention software supply chain security as a top challenge, and just 17% name enhancing control over supply chain security issues as a top priority for their product security roadmap.”

Echoing Bronfman’s views, Jonathon Gordon, directing analyst at TP Research, told Industrial Cyber that he can’t help but express concern over the state of product security across the corporate landscape. “While it’s encouraging to see larger manufacturers appointing Chief Product Security Officers to spearhead their efforts, smaller manufacturers are often left in the lurch due to budgetary and skill constraints.”

Gordon added that what’s particularly disconcerting is the budgetary inertia highlighted in this survey. “Despite the clear and present risks, a staggering majority of companies have no plans to bolster their product security budgets. This complacency could very well serve as a ticking time bomb for manufacturers and critical industry.”

Despite the ever-evolving threat landscape, Bronfman addressed how manufacturers can afford to hesitate to increase product security budgets despite the recognition of challenges. He also looked into the possible rationale behind ‘manufacturers are not prioritizing supply chain security.’

“There isn’t a simple answer to this one,” Bronfman pointed out. “In our survey, we found that most respondents recognize the importance of product security in protecting IPR, brand reputation, and business outcomes. Most also see it as a potential competitive edge. So, it could be related to balancing other priorities and maybe firmer regulatory supervision/enforcement is needed here.” 

Regarding software supply chain security, Bronfman said that it “could be that equipment manufacturers are expecting clearer guidelines from regulators about this, or maybe are contemplating how to collaboratively tackle this issue with their suppliers (mind you – it’s not an easy/simple task).”

Based on the survey results, Bronfman identified likely emerging trends in the industrial device security sector. He also laid down measures that must be immediately adopted as managing product security amidst evolving technologies is a major challenge in the present landscape. 

“We see a clear realization that there’s no silver bullet when it comes to product security – respondents flagged multiple challenges and priorities in their pursuit of strengthening product security,” Bronfman said. “Many teams, with different expertise and know-how, are involved in securing industrial equipment – from design, through the lengthy development phase, to post-production security monitoring and maintenance (which could last tens of years). This calls for greater investment and accountability for product security within organizations and alignment of internal resources.” 

Bronfman said that he expects to see the role of ‘chief product security officer (CPSO)’ elevated to a level comparable to that of a CISO, “with such a function tasked at generating a holistic view of the organization’s product security readiness while guiding dedicated resources on safeguarding software-driven industrial machinery. So, assigning dedicated executive resources and establishing product security management and governance practice are foundational steps that every equipment manufacturer should take,” he added. 

“This will also necessitate having ‘tools of the craft,’ such as a dedicated product security platform, that facilitate the work of multiple teams while providing executives the relevant management capabilities,” Bronfman added. “Such a platform will consolidate multiple makeshift solutions based on generic IT capabilities, improving efficiency, reducing cost and TTM.”

Gordon added that the recent survey data is quite revealing, it shows a marked shift among manufacturers towards compliance, likely fueled by the surge in cyberattacks and subsequent legislative pressures. “While regulatory mandates do raise awareness, they seldom translate into actual risk reduction or a more secure operational environment. Moreover, these regulations and guidelines often fall short in providing the granular details necessary to effectively align OT cybersecurity measures. This leaves a significant gap that companies need to address independently.”

“The pressing question that looms large in the realm of product security is: who’s going to foot the bill—be it for compliance or cyber risk mitigation? This financial conundrum is not unique to any one sector; we’ve observed it across various verticals,” according to Gordon. “Manufacturers are generally reluctant to absorb these costs, and while end-users increasingly demand security-by-design features, there’s a lingering question about their willingness to bear the additional expenses that manufacturers are all too ready to pass on.”

Additionally, Gordon pointed to collaboration across the supply chain as the critical factor for moving beyond superficial commitments to secure-by-design and improved product security. “It’s essential for manufacturers, asset owners, and operators to be tightly aligned in their efforts. Only through this level of integrated collaboration can we realistically expect to make significant progress in strengthening the security infrastructure of industrial settings,” he highlighted.

The Cybellum report identified that the primary device security challenge faced by industrial equipment manufacturers in 2023, as reported by 31 percent of respondents, revolves around the quest for enhanced efficiency. “This challenge encompasses various facets, including optimizing the utilization of cybersecurity personnel, reducing manual efforts, and expediting product security processes. Understandably, this challenge weighs even more heavily on smaller companies compared to their larger counterparts.” 

It added that the market reflects this trend, as manufacturers increasingly focus on automation, consolidation of tools and technologies, and improved risk prioritization to extract maximum value from their limited resources.

The report also addressed the quest for continuous product security throughout the entire lifespan of industrial devices and the management of an expanding array of tools and technologies that emerge as critical challenges, as cited by 30 percent of survey respondents. “Presently, many companies resort to siloed and fragmented processes, hindering the efficiency and effectiveness of device security management.”

Cybellum identified that industrial equipment manufacturers highlight increasing compliance with regulations and standards as their top priority, with 37 percent of companies prioritizing this aspect in their 2023 device security roadmap. “This heightened focus may stem from the escalating number of cyberattacks targeting industrial organizations and the consequent legislative and regulatory pressures.” 

It added that foundational practices like threat modeling and Software Bill of Materials (SBOM) management emerge as key priorities that underpin compliance efforts. “These priorities underscore manufacturers’ commitment to investing in established security practices, expected to yield substantial benefits. Furthermore, these practices have the potential to extend beyond compliance, contributing to improved vulnerability management and enhanced incident response capabilities.”

The Cybellum report found that manufacturers are not prioritizing supply chain security, despite recent vulnerabilities underscoring the supply chain challenges associated with open-source and commercial software used in industrial devices. “Only 24% of respondents cite software supply chain security as a top challenge for 2023, and a mere 17% name enhancing control over supply chain security issues as a top priority for their 2023 product security roadmap.” 

Moreover, it added that 60 percent of respondents do not generate and share SBOMs with customers, and nearly half have no plans to implement VEX (Vulnerability Exploitability eXchange) reports in the next 12 months. “These figures point to a notable lack of emphasis on supply chain security.”

Last month, Cybellum announced that it had joined Japan’s Medical Information Sharing and Analysis Center (M-ISAC Japan). The company’s membership in the organization will allow it to participate in research projects that can help shape the future of medical device cybersecurity.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.