Attacks and Vulnerabilities
Critical infrastructure
Industrial Cyber Attacks
Industrial IoT
Industries
Industry 4.0
ISA/IEC 62443
IT/OT Collaboration
Manufacturing
Medical
Mining, Oil & Gas
News
Reports
Risk & Compliance
Utilities: Energy & Power, Water, Waste
Vendors

Applied Risk report finds companies struggling to bolster OT security maturity, as adversaries advance

December 02, 2021
Applied Risk report

An Applied Risk report released on Thursday revealed that companies are struggling to develop their OT security maturity at a pace comparable to the speed with which attackers are developing their own skill sets. Meanwhile, the OT landscape is becoming more complex due to IT/OT convergence and the introduction of industrial internet of things (IIoT) devices, virtualization, and cloud computing in these environments.

The report, titled ‘Architecting the Next Generation for OT Security,’ is based on data collected by the Ponemon Institute from over 1,000 IT and OT security practitioners in the U.S. and Europe. The data also includes input from Applied Risk’s own engagements and assessments, in addition to analysis from the company’s own subject matter experts (SMEs).

The overall sense of the respondents is that they need to do more to ensure that the business benefits of these new technological developments can be realized in a secure manner, the Applied Risk report said. More than half of the respondents believe that their cyber readiness is not at the right level yet and that they are not able to adequately minimize the risk of cyber exploits and breaches in the OT (operational technology) environment. As such, it is clear that there is still work to be done in general and across the board.

Jalal Bouhdada, the founder and CEO of Applied Risk, described the report as insightful and forward-looking. “With this report, ‘Architecting the Next Generation for OT Security,’ Applied Risk is seeking to shed light on the recent past, current state, and near-future of industrial cyber security,” he said in a media statement. “We’ve utilised the data collected by the Ponemon Institute and the insights offered by our own SMEs to generate a framework for gaining a deeper understanding of the OT Security situation.”

The Applied Risk report takes into account the issues that surround the people, processes, and technologies that underlie current conditions in OT security. The report notes that the sector has been shaped by numerous factors including lower-than-ideal staff levels, the adoption of risk-based and OT-specific standards, and the failure to adopt enabling technologies. It also addresses urgent matters, such as questions about ownership of OT security leadership, concerns about access management and increasing attacks targeting OT environments, and the promise of new technologies, such as cloud computing.

Additionally, the report seeks to identify and illuminate the issues that will drive the development of the OT security realm over the next two to four years. It takes into consideration plans to expand the OT security headcount and expand the skill pool of the workforce at large, explains how IT/OT convergence can help generate solutions to security challenges and examines the potential benefits of security operations centers (SOC). These SOCs are expected to transform how OT cybersecurity risks are managed. Organizations are expected to integrate IT- and OT-related SOC services, it added.

The importance of IT and OT systems convergence will continue to increase since it brings business benefits, according to the Applied Risk report. The benefits of this convergence can be realized when strong OT security programs are implemented. Basic technical measures such as patch management and secure remote access are still considered most effective in securing the OT domain. However, new security solutions continue to emerge or cross over into the OT domain, it added.

The Applied Risk report found that less than half of the respondents say their organizations have enough staff to manage cybersecurity risks today. On average, organizations expect to double the headcount dedicated to OT security within the next two to four years, though not all organizations have a team dedicated to OT security programs. The survey also noted that the respondents are aware that they need to upskill their staff and service providers and that better procedures are needed.

The report also delivers added value in the form of recommendations for bolstering OT security in the face of multiple significant challenges. It outlines some of the practical steps that organizations depending on industrial control systems (ICS) and other types of OT can take to address pain points related to people, processes, and technologies.

Just over three-fourths of the respondents say their organizations use an OT/ICS-specific cybersecurity standard to manage their security program, according to the report. Within this group, the most commonly adopted standard for minimizing OT security risks is the IEC 62443 series. Almost all standards take a risk-based approach, based on the concept that it is neither efficient nor sustainable to try to protect all assets in equal measure. But, not all organizations have an incident response plan.

The majority of respondents say their organizations are at risk because of their inability to ascertain the security practices of relevant third parties and to mitigate cyber risks across the OT external supply chain, Applied Risk said in its report. Legislation and regulation are important drivers for starting an OT security program. 

Despite concerns about the security of the supply chain, comprehensive audits are rarely conducted, the Applied Risk report said. Only 33 percent of respondents say their organizations conduct regular audits of their own main suppliers, and only 27 percent conduct due diligence prior to contracting with new suppliers. Respondents agree that their organizations are at risk because of their inability to ascertain the security practices of their suppliers.

Another interesting fact that the Applied Risk report brought out was that air gaps are not seen as the ultimate remedy to prevent security compromises. 32 percent of the respondents are still using air gaps to prevent compromises, a surprisingly high number in view of the increasingly digitalized business landscape. 

The respondents see that the lack of enabling technologies undermines their organizations’ ability to deal with the rising number of attacks perpetrated by increasingly sophisticated attackers, including nation-states. Their top concern is the prevalence of sophisticated attacks targeting their organizations.

Last month, assurance and risk management company DNV joined forces with Applied Risk to help customers across a range of industrial sectors identify their cyber risks, build a powerful force of defense against threats, recover from attacks and win stakeholder trust and support.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights