Last month, industrial cybersecurity software company Claroty released the results of a survey of 1,000 security professionals. The survey examined the state of information technology and operational technology security in countries around the globe, including the United States, the United Kingdom, Germany, France, and Australia.
“While IT and OT convergence unlocks business value in terms of operations efficiency, performance, and quality of services, it can now be detrimental because threats, both targeted and non-targeted, have the freedom to maneuver from IT to OT environments and vice versa,” Dave Weinstein, Claroty’s chief security officer, said in a press release. “Our mission is to help security practitioners to bridge the gap between IT and OT cybersecurity, ensuring that all bases are protected from cyberattack. This is even more critical in this new normal of largely remote workforces, which create additional burden on CISOs to remotely secure their production environments.”
According to Claroty’s report on the survey, The Global State of Industrial Cybersecurity, security professionals are most concerned about cyber attacks on critical infrastructure. The survey found that 74 percent of respondents around the globe are concerned about an attack on critical infrastructure, compared to 24 percent who are concerned about an enterprise data breach.
“While the survey revealed some geographic differences, one area where most IT security professionals surveyed agree is concern over securing OT networks,” the report says. “Despite reporting they have received training and have the required skills, the majority of respondents would rather face a massive data breach than a critical-infrastructure related cyber attack.”
The survey also found that 51 percent of security professionals in the United States believe that today’s industrial networks are not properly safeguarded and need more protection. Another 55 percent believe that the country’s critical infrastructure is vulnerable to a cyber attack. Additionally, 67 percent of security professionals in the U.S. believe that a cyber attack on critical infrastructure has the potential to inflict more damage than an enterprise data breach.
According to the report, 63 percent of the IT security professionals surveyed from the U.S. expect a major cyber attack to be successfully carried out on national infrastructure within the next five years. However, 10 percent believe they will never see one.
While 51 percent of respondents in the U.S. do not believe their industrial networks are properly safeguarded, only 4 percent of respondents in Germany feel the same. Overall, 62 percent of respondents from around the globe believe that industrial networks are properly safeguarded. Comparatively, nearly all of the respondents from Australia (93%) and Germany (96%) are confident in the overall safety of their industrial networks.
“The disparity in perspectives points to the need to raise global awareness of attacks on industrial networks,” the report says. “Just as no organization, geographic region or industry is immune to IT security threats, the same is true for attacks on OT networks.”
The report also reveals attitudes around which types of cyber attacks on industrial networks will be most prevalent in 2020. Fifty-six percent of security professionals in the U.S. say hacking will be most prevalent, followed by ransomware at 21 percent and sabotage at 12 percent.
Additionally, respondents from the U.S. labeled electric power as the most vulnerable sector of critical infrastructure at 46 percent. This was followed by oil and gas at 18 percent and transportation at 13 percent.
“An overwhelming majority of U.S. IT security professionals (87%) believe that the government is responsible for properly protecting critical infrastructure from cyberattacks,” Claroty said in the press release. “This indicates how crucial it is for Chief Information Security Officers (CISOs) and IT teams to understand the importance of OT security and how it falls within their purview, as every company in the world relies on industrial networks.”
The survey also examined OT education and awareness. According to the report 93 percent of respondents said OT security should be incorporated into the education and training of IT security professionals. However this education and training is not happening across the board.
“IT and OT security practices are converging at a rapid rate due to digital transformation and the evolving threat landscape, which presents new challenges and opportunities for CISOs,” Claroty said in the release. “Demonstrating this, a majority in the U.S. (66%) have been trained in the differences between IT and OT networks and 65% believe they have the skills and experience required to properly manage OT network cybersecurity.”