If you’re interested in why the OT sector is facing an unprecedented level of cyberattacks and how companies can best cope with the onslaught, recent reports from SCADAFence and Fortinet should be on your must-read list.
Both reports confirm that cyber-risk is a real and present danger for OT and critical infrastructure. According to Fortinet, a staggering 93% of OT organizations experienced at least one intrusion in 2021, with 78% experiencing intrusions more than three times in a year. In this blog we’ll examine the top findings from these reports and offer some recommendations for securing your OT and critical infrastructure.
The human operator has crossed the digital chasm, and the security genie is out of the bottle. The SCADAFence report, which draws on survey data from over 3,500 OT and IT security experts across six continents, identifies the human factor as a significant point of vulnerability. Interestingly, this is due both to the prevalence of human error as well as the skills gap that has plagued the security industry in recent years.
The report states: “The majority believe that the increasing shortage of OT security staff is decreasing the effectiveness of their organizations’ OT security, which is resulting in security gaps.”
Additional findings reveal that the human operator is where many serious security gaps occur:
79% of OT organizations say that internal human error is behind vulnerabilities that lead to OT security issues.
50+% blame poor visibility across the enterprise for increased risk.
69% believe that a lack of skilled OT security staff is diminishing security.
84% say that the ultimate responsibility for OT security lies at the door of the CISO.
The SCADAfence report offers valuable insights into areas causing the most trepidation in OT organizations. Below are some of the key findings, plus suggestions for how to take action to improve security:
Insight: Human error and visibility are the two top security concerns at OT firms. Underpinning both these issues is the shift from closed systems that could use air-gapping to enhance security to internet-connected systems that create potential vulnerabilities. The Fortinet report into IT security concurs with this, finding that only 13% of organizations have complete centralized OT visibility.
Action: OT security concerns must be presented to the board and C-Level to discuss the overall risk profile. Visibility is a critical and fundamental challenge to surmount. Likewise, while human error can never be entirely overcome, steps can be taken to limit its impact. Advanced identity-centric zero trust approaches leave less room for human-caused crises (whether malicious or accidental) and also offer a way to make the invisible visible across expanded, disparate systems. According to Fortinet, “top-tier organizations are 37% more likely to have network access control technology in place.”
Insight: 79% of respondents to the SCADAfence survey state that human error significantly contributes to cyber-incidents. This concern appears justified, as unauthorized or poorly configured software and accidental malware installation are two of the biggest hurdles to securing an OT environment. In addition, third-party personnel on the ground, such as contractors and maintenance staff, pose a real challenge for security staff. These users perform functions that are necessary to keep operations running but, even more than direct employees, they are a hot target for hackers.
Action: Enforcing strong authentication and adopting identity-based access for third-party users are two actions that will limit the ability of human actors to purposefully or accidentally cause security incidents. As we highlighted in a past blog, “in OT networks, implementing MFA (multi-factor authentication) enables authorizing users in innovative ways that were not possible beforehand in such systems.” Moreover, as the same blog also explores, identity-centric zero trust access is a more secure way to connect third-party users to both OT and IT systems.
Insight: As already noted, a lack of visibility across cloud-based and fragmented networks compounds security challenges. Visibility is fundamental in securing any environment – you cannot secure what you cannot see. Thus, 42% of respondents cited poor visibility as a core challenge in managing OT risk.
Action: The report reveals that “deep and broad visibility” across the entire OT network is needed to ensure security. A security solution must be advanced enough to work across this expanded network and provide granular control and always-on verification.
Insight: The cybersecurity skills gap is hurting OT organizations. An alarming 83% of OT firms said there was a significant shortage of OT security personnel. In addition, an associated survey from SANS Institute found that amongst security staff, 52% do not understand the security issues of OT.
Action: Closing the security skills gap in OT will not be easy, but realistic budgets and internal training programs will help. Technologies and security services deployed as-a-Service by vendors, partners, or managed service providers (MSPs) can also augment OT firms’ needs as longer term solutions are devised.
Insight: Whenever IT and OT converge, or even just interface, challenges in security follow. Smart sensors, new protocols and cloud computing allow more fluid data exchange than ever before. This sharing of data presents vulnerabilities and security gaps in the world of industry 4.0. At the same time, new processes and ways of working generate new vectors and lead to increased cyber risk. Today over half of OT experts identify their firm as having completed full IT-OT convergence.
Action: IT-OT convergence also provides routes to better security; OT can adopt already-tested security measures built on the zero trust architectural approach. Communication between teams was viewed as one of the essential factors in successful IT-OT convergence. Respondents overwhelmingly (84%) expect that the CISO should take over responsibility for OT security to ensure appropriate secure environments are deployed.
The digital transformation of industrial organizations has created new challenges when it comes to securing access to networks, devices, and data. What has not changed amongst the explosion of new technologies and new threats is that human beings remain the pivot upon which security turns. This may be the result of a lack of security skills or simply a factor of unavoidable human error; however, security comes down to managing the human and thereafter managing the risk. Employing tools and technologies that control access OT and IT resources based on an identity-centric zero trust approach is the best bet for solving top OT security concerns and building an excellent security posture.
Kevin Kumpf has more than 20 years of IT security and compliance experience, including over 10 years of cybersecurity, governance and critical infrastructure experience working in the energy, medical, manufacturing, transportation and FedRAMP realms. Kevin’s past roles include Director of OT Security (N.A.) for Iberdrola, where he oversaw the security, and regulatory compliance of multiple OpCo’s, and Principal Security and Regulatory Lead for interactions with the NY and NE ISO’s, NERC, ISAC’s as well as state and federal entities. He has also worked internally and as a vendor/consultant at multiple healthcare and manufacturing entities to mitigate the threats they were under in relation to ransomware, insider threats and malware infestation. Today Kevin works as the OT Technical Lead at Cyolo.