Operational technology breaches grow by 83%

Eighty-three percent of organisations suffered an operational technology (OT) cybersecurity breach during the prior 36 months. This is according to research by Skybox Security, which also uncovered that organisations underestimate the risk of a cyberattack, with 73% of CIOs and CISOs “highly confident” their organisations will not suffer an OT breach in the next year.

“Not only do enterprises rely on OT, the public at large relies on this technology for vital services including energy and water. Unfortunately, cybercriminals are all too aware that critical infrastructure security is generally weak. As a result, threat actors believe ransomware attacks on OT are highly likely to pay off,” said Skybox Security CEO and founder Gidi Cohen. “Just as evil thrives on apathy, ransomware attacks will continue to exploit OT vulnerabilities as long as inaction persists.”

Network complexity, functional silos, supply chain risk, and limited vulnerability remediation options are all challenges to overcome. Threat actors take advantage of these OT weaknesses in ways that do not just imperil individual companies but that pose a wider systemic threat. 

Threat intelligence shows that new vulnerabilities were up 46% versus the first half of 2020. Despite the rise in vulnerabilities and recent attacks, many security teams do not make security a corporate priority.

One of the surprising findings is that some security team personnel deny they are vulnerable, yet admit to being breached. 

Navistar information security manager Robert Lynch said: “Some CISOs could have false confidence because even though they’ve already been breached, they have not identified this yet; sometimes hackers are there for a long period establishing their foothold. It is dangerous to be confident as the bad guys are so good.”

Key takeaways from the 2021 study include:

• Organisations underestimate the risk of a cyberattack
  Fifty-six percent of all respondents were “highly confident” their organisation will not experience a breach in the next year. Yet, 83% also said they had at least one OT security breach in the prior 36 months. Despite the criticality of these facilities, the security practices in place are often weak or nonexistent.
• CISO disconnect between perception and reality
  Seventy-three percent of CIOs and CISOs are highly confident their security system will not be breached in the next year. Compared to only 37% of plant managers, who have more firsthand experiences with the repercussion of attacks. While some refuse to believe their operating systems are vulnerable, others say the next breach is around the corner.
• Compliance does not equal security
  To date, compliance standards have proven insufficient in preventing security incidents. Maintaining compliance with regulations and requirements was the most common top concern of all respondents. Regulatory compliance requirements will continue to increase in light of recent attacks on critical infrastructure. 
• Complexity increases security risk 
  Seventy-eight percent said complexity due to multivendor technologies is a challenge in securing their OT environment. In addition, 39% of all respondents said that a top barrier to improving security programs is decisions are made in individual business units with no central oversight.
• Cyber liability insurance is considered sufficient by some 
  Thirty-four percent of respondents said that cyber liability insurance is considered a sufficient solution. However, cyber liability insurance does not cover costly “lost business” that results from a ransomware attack, which is one of the top three concerns of the survey respondents.
• Exposure and path analysis are top cybersecurity priorities 
  Forty-five percent of CISOs and CIOs say the inability to conduct path analysis across the environment to understand actual exposure is one of their top three security concerns. Further, CISOs and CIOs said disjointed architecture across OT and IT environments (48%) and the convergence of IT technologies (40%) are two of their top three greatest security risks.
• Functional silos lead to process gaps and technology complexity
  CIOs, CISOs, Architects, Engineers, and Plant Managers all list functional silos among their top challenges in securing OT infrastructure. Managing OT security is a team sport. If the team members are using different playbooks, they are unlikely to win together.
• Supply chain and third-party risk is a major threat 
  Forty percent of respondents said that supply chain/third-party access to the network is one of the top three highest security risks. Yet, only 46% said their organization as a third-party access policy that applied to OT.