In a 2021 survey conducted by the SANS Institute, 15% of organizations said that they had suffered a security incident involving their Operational Technology (OT) environment in the past 12 months. The numbers of victims could be even higher, however. Nearly half (48%) of survey participants said that they were not sure whether a security incident had occurred in their OT environment. An additional quarter of respondents revealed that they could not answer the question due to their company policy.
Some of those OT attacks received more media attention than others. Recall what happened in the Colonial Pipeline attack. The DarkSide ransomware gang targeted the pipeline company and succeeded in infecting its business networks. In response, the company deactivated its IT systems as well as other assets responsible for maintaining its pipeline operations. This decision effectively disrupted the daily flow of 100 million gallons of gasoline, jet fuel, and diesel along 5,500 miles of pipeline, causing gas shortages and panic buying in different parts of the country.
This attack activity raises the following question: what factors are contributing to this OT risk?
Pain Points of Upholding OT Security
Applied Risk explored this question and more in a December 2021 report entitled, “Architecting the Next Generation for OT Security.” For the study, Applied Risk commissioned the Ponemon Institute to survey over 1,000 OT and Information Technology (IT) security practitioners based in the United States and Europe. The industrial cyber security provider also drew upon the expertise of its own subject matter experts (SMEs) to complement its research.
For one part of the study, the Ponemon Institute asked respondents to rate the “pain” associated with managing certain aspects of their organization’s OT security on a scale of 1 (minimal pain) to 10 (severe pain). This exercise yielded three main pain points with ratings ranging between 7 and 10. First, two-thirds of respondents said sophisticated attacks were on the rise. Such a view highlights how incidents like the Colonial Pipeline incident are becoming increasingly commonplace and challenging their security efforts in the process.
Next, more than half (55%) of respondents named the growing complexity of their OT environments as a severe pain point. Complexity makes it more difficult for OT teams to achieve comprehensive visibility of their resources. By extension, it complicates the task of infosec personnel visualizing and remediating potential security issues before they escalate into larger incidents that could jeopardize their operations and/or data.
Finally, survey participants said that their defensive capabilities didn’t fulfill their security requirements. They identified specific shortcomings when it came to their people, processes, and technology. Let’s examine these factors in more detail below.
- People: Many respondents indicated that the cybersecurity skills gap was limiting the effectiveness of their OT security efforts. Indeed, just 42% of them said that they had enough staff to manage security risks in their OT environments.
- Processes: Supply chain management was one of the processes most frequently cited by survey participants in this category. For instance, 61% of respondents said that their organizations were at risk because they lacked the ability to determine the security policies of third-party entities. Approximately the same proportion of individuals wrote that organizations were struggling to mitigate cyber risks across the external OT supply chain. Meanwhile, about a quarter of participants said that they’ve never conducted an audit of their supply chain.
- Technology: In terms of technology lapses, only half of the survey participants said that they’ve leveraged automation to monitor and secure their OT assets. Nearly a third (31%) of respondents went even as far to say that their organizations were not using any of those enabling technologies. This explains why security professionals named outdated control systems and vulnerable software in facilities as some of their greatest obstacles to minimizing risks in their OT environments. Vulnerabilities affecting industrial control systems (ICS) increased 41% in the first half of 2021 compared to the preceding six months. Without the necessary technology, security teams can’t detect those weaknesses let alone prioritize and remediate them on a timely basis.
How Can Organizations Revamp Their OT Security Going Forward?
One of the ways that organizations can respond to the OT security challenges discussed above is by using the IT-OT convergence to their advantage. Applied Risk specifically pointed out that teams can collect data across their systems to identify potential digital attacks. Such data collection won’t work without a coordinated effort from different teams and stakeholders, however. With that in mind, organizations can consider creating cross-functional IT and OT security teams to collect information. This will help to eliminate information silos that hinder investigations into legitimate security concerns—including those that penetrate or involve OT environments in some way.
Towards that end, organizations can embrace certain key technologies. Such solutions include automation as well as Identity and Access Management (IAM). Teams can then integrate those technologies together into a unified security approach like zero trust that uses network segmentation and other controls to validate users, devices, accounts, and other resources.
OT Security for the Future
Organizations are ultimately in charge of the future of their business. With that said, they should not underestimate the role that their security will play in the upcoming years. They have the opportunity to seek out help from professionals who can help them to focus on their growth.
