OTORIO survey highlights rising awareness of OT cybersecurity, supply chain challenges

OTORIO released this week results of its 2022 OT cybersecurity survey report that revealed amidst an acceleration towards a connected production floor, especially around remote operations and supply chain management, the growth of cybercrime itself, and tightening of legislation and regulations pushed forward by governments that are taking an increasingly active role in cyber defenses.

The OT market was air-gapped for so long that the right security measures are hard to gauge, though a lot of solutions serving OT today are retrofitted IT solutions, with mitigation methods unsuitable for OT, in addition to patches or workarounds that add a layer of complexity, OTORIO said in its survey. 

OTORIO conducted the survey amongst C-level managers, directors, or heads of cybersecurity from companies that ranged from 250 to 10,000 employees from across North America, Latin America, and Europe. The survey covered industries ranging from energy and utilities to oil and gas, coal mining, and alternative energy. Respondents were selected and approached through a global B2B research panel, invited through email to complete the survey, and responses were collected during the fourth quarter of last year. 

Respondents reported an increase of 98 percent in the level of digital and cyber risks to their operations over the past three years, OTORIO said in its survey report. The concern over OT (operational technology) cybersecurity is well-founded, as 67 percent of respondents reported that risks have increased significantly since 2019, and 31 percent noticed an increase that was slighter. Merely two percent of respondents said they haven’t noticed a difference in the level of cyber risks over the past three years. 

“These findings are not surprising when considering headlines over the past year about OT cyberattacks like the Lockbit ransomware attack, the Colonial Pipeline attack, the Ultrapar interruption in the fuel industry, and the Wiregrass energy ransomware attack,” OTORIO said.

Supply chain attacks are the top concern of OT cybersecurity experts, with 53 percent of respondents putting supply chain attacks among their top three concerns when it comes to cybersecurity, and 99 percent reporting a supply chain attack in the last 12 months, OTORIO said. Especially in OT, there is a very long supply chain and strong dependence on suppliers. No matter how strong a company’s security posture, it is only as strong as its weakest link, the company added. 

The Kaseya and SolarWinds attacks, as well as the large-scale attack on the African port network, are just a few examples of major supply chain attacks in 2021 – with hundreds of organizations impacted following exploitation of a vulnerability in one service provider, according to the survey. Companies are only as strong as their weakest link. In an operational or industrial environment, this could be any vendor with remote access to the production environment, who may not even be visible to IT monitoring tools, since OT works differently, it added. 

The three top drivers for cybersecurity have been identified as compliance, growth, and cyberattacks. Compliance accounted for 86 percent, as OT cybersecurity is now mandatory for compliance with regulatory requirements and standards, the OTORIO survey said. The growth factor recorded 83 percent since adding secure connectivity is a key enabler of digitization and growth, especially for areas like renewable energy that rely on a connected grid. Cyberattacks accounted for 82 percent following the recent spate of attacks on critical infrastructure have raised concerns about the consequences of a cyberattack. 

OTORIO said that it is interesting to note that failure to comply with regulations is even more of a concern for respondents than the consequences of a cyberattack. 

Organizations can extract only minimal value from their existing OT cyber solutions, with the key challenges with existing OT cybersecurity systems emerging in the form of skills gap at 57 percent, mitigation suggestions not being feasible at 49 percent, alert fatigue at 44 percent, and complexity at 33 percent, according to the survey. 

According to the OTORIO survey, the top three roles responsible for managing OT cybersecurity are VP/head of manufacturing/engineering accounting for 31 percent, followed by the CISO at 30 percent, and the CEO at 23 percent. “It’s interesting to note that the most likely person taking charge of cybersecurity is not a trained security expert, but rather the Head of Manufacturing,” it added.  

Respondents reported that 47 percent of them have an in-house team to manage OT cybersecurity, the survey said. About 53 percent rely heavily on managed services. 41 percent outsource OT cybersecurity completely, and 12 percent say they have a hybrid mix of outsourced and in-house teams. 

Another interesting measure was that most companies are planning to increase their 2022 cybersecurity budgets by over 50 percent, the OTORIO survey said. With a clear rise in cybercrime, more regulations than ever before, digital transformation, and the shift to a connected production floor, over half of respondents, 54 percent, are planning to increase their 2022 cybersecurity budget by more than 50 percent, it added. 

The OTORIO survey also pointed out that 61 percent of respondents indicated that they are seeing a significant increase in the number of regulations and standards their organization needs to comply with. This aligns with the reasons respondents are making cybersecurity a priority. When comparing responses by industry, energy and utilities reported the most significant increase in the number of regulations and standards at 80 percent, compared to the oil & gas industry at 61 percent, and the water treatment industry at 37 percent.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.