Claroty reports that 37 percent of ransomware attacks on industrial organizations affected IT and OT environments

A new report from Claroty has found that 37 percent of ransomware attacks targeting industrial organizations have a significant impact on both their IT and OT environments, registering a 10 percent increase from 2021 and a significant lead over those impacting IT only (21 percent). Additionally, 75 percent of the industrial sector experienced a ransomware attack in the past year, as financial losses mount and cyber insurance premiums increase. 

In its latest report titled ‘The Global State of Industrial Cybersecurity 2023: New Technologies, Persistent Threats, and Maturing Defenses,’ Claroty identified that ransomware attacks impacting OT environments are on the rise and remain costly, demand for cyber insurance spikes as heightened ransomware activity leads to significant financial losses, industry regulations and standards are driving OT security priorities and investments, generative AI (artificial intelligence) is on the rise, and is fueling significant security concerns, and progress and advancements are being made to close gaps in processes and technology. 

Claroty contracted with Pollfish to survey 1,100 IT and OT security professionals in North America, Latin America, EMEA, and Asia-Pacific. Over a dozen industries are represented including automotive, chemical, electric utilities, food and beverage, oil and gas, pharmaceutical and biotechnology, transportation, water and waste, consumer products, mining and materials, IT hardware, forestry, and pulp and paper. The survey was completed last month.

“Our study shows that there is clearly no shortage of challenges facing OT security professionals, but we also found tremendous room for opportunity and appetite to mature security posture across industrial environments,” Yaniv Vardi, CEO at Claroty, said in a media statement. “Organizations are already working to bolster their risk assessment, vulnerability management, and network segmentation practices, in order to be highly proactive in their defense of cyber-physical systems.”

Claroty revealed that compared to its 2021 survey results, the primary impact of ransomware attacks has shifted from only IT environments to both IT and OT environments. “In 2021, 32% of ransomware attacks impacted IT only, while 27% impacted both IT and OT. Today, 21% impact IT only. The impact to both IT and OT increasing 10% in just two years is particularly significant,” it added. 

Also, on a global basis, 69 percent of targeted organizations paid the ransom, with the majority (54 percent) of attacks impacting multiple sites or functions. Of these attacks, over half of the organizations that paid the ransom suffered financial ramifications of US$100,000 or more. 

Claroty also reported that with 67 percent of organizations experiencing ransom attacks incurring $100,000 or more due to an incident, it’s no surprise that survey trends have shown a large majority (80 percent) of organizations opting for cyber insurance policies. “In the event of an attack, about half (49%) have opted for policies with coverage of half a million dollars or more,” it added. 

The report identified that the top three government regulations driving OT security measures are TSA Security Directives, CDM DEFEND, and ISA/IEC-62443. “Significantly, 45% of respondents stated that TSA Security Directives have had the most significant impact on their organization’s security priorities and investments. Trailing closely behind TSA Security Directives are CDM DEFEND with a 39% response rate and ISA/IEC-62443 with 37%,” it added. 

The New York-headquartered company also revealed that 61 percent of respondents are currently utilizing security tools that leverage generative AI. However, 47 percent of those respondents claim that the use of generative AI capabilities within their tools has raised their security concerns. 

Respondents reported that the most significant challenges or gaps within their OT security today are risk assessment; asset, change, and/or life cycle management; and vulnerability management. Organizations are working to fill these gaps in the next year, reporting at 43 percent that risk assessment is their number one security initiative for 2024. 

Additionally, over three-fourths of respondents describe their approach to network segmentation as ‘moderate’ or ‘mature,’ which is essential for restricting the lateral movement of cyberattacks through the network, including from IT to OT. About 78 percent also described their approach to identifying vulnerabilities as ‘moderately’ or ‘highly’ proactive, which is a notable increase from 66 percent in the 2021 survey. 

Looking further into vulnerability and risk management strategies, respondents indicated that they use multiple risk-scoring methods to prioritize vulnerabilities impacting their industrial cyber-physical systems (CPS) assets. 

Claroty identified that the most popular is the Common Vulnerability Scoring System (CVSS), used by 52 percent of global respondents, followed by existing security solutions’ risk scores (49 percent), the Exploit Prediction Scoring System (EPSS) (46 percent ), and the Known Exploited Vulnerabilities (KEV) Catalog (45 percent). “These results highlight just how difficult vulnerability management can be, especially in CPS environments, where patching everything is often impossible or too complex to execute,” the report added.

The survey results show that industrial organizations are increasingly prioritizing cybersecurity and compliance. However, given the prevalence, variety, and impact of cyber attacks, there are opportunities to further strengthen their security programs to ensure cyber and operational resilience.

Claroty offers three recommended practices that can assist security leaders and their teams in effectively addressing their top pain points and priorities in today’s interconnected world. These include gaining visibility into all CPS in the OT environment by executing a comprehensive inventory of all assets, including OT, IoT, IIoT, and BMS. This is essential to ensure CPS security solutions offer multiple, highly flexible discovery methods that can be mixed and matched to deliver full visibility in the manner best suited to distinct needs. 

The report also called for expanding the already extensive tech stack to find CPS security solutions that integrate with these solutions. By extending existing tools and workflows from IT to CPS, organizations can safely uncover risk blindspots without endangering operational outcomes. This strategy will help industrial organizations take control of their environment and create further visibility across traditionally siloed teams by simply extending existing tools and workflows from IT to CPS. 

Unlike IT environments, most CPS infrastructures lack essential cybersecurity controls and consistent governance. That’s because legacy systems in many CPS environments were built with a focus on functionality and operational reliability, rather than security, as these systems were not initially intended to be connected to the internet. 

Claroty identified that the rise of internet connectivity has caused these previously ‘air-gapped’ systems to converge with IT networks, which were not designed to be connected and managed in the same way. “Without CPS-specific security teams or solutions in place, organizations will suffer from a lack of consistent governance and controls. To resolve this, organizations should evaluate CPS security vendors that can help to extend your IT controls to CPS by unifying your security governance and driving all use cases on your journey to cyber and operational resilience,” it added. 

In conclusion, cybersecurity challenges in the industrial sector continue to grow, as IT and OT networks converge and the attack surface for cybercriminals expands. This was revealed in the responses to our survey questions on ransomware attacks and the financial and operational damage they cause. Unsurprisingly, due to the rise in ransomware attacks and resulting payments, the majority of respondents indicated that their organizations have opted to elect cyber insurance policies. 

“As another subsequent result of increased cyber attacks, we have seen a rise in industry regulations and standards, which have driven security priorities and investments,” the report highlighted. “As generative AI solutions continue to advance, and new and more advanced threats emerge, organizations must adhere to cybersecurity best practices and partner with the right CPS security vendor to ensure that their unique environment is protected. With strong security leadership in place, well-rounded security programs implemented, and adherence to guidelines and frameworks from regulatory bodies, industrial organizations are on the right track to ensuring cyber and operational resilience.”

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.