Some 90% of critical infrastructure (CNI) providers claim that their IT/OT environment has been damaged by a cyber-attack over the past two years, according to a new Ponemon Institute report.
Sponsored by security vendor Tenable, the Cybersecurity in Operational Technology: 7 Insights You Need to Know report features responses from 701 firms that run industrial control systems (ICS) and operational technology (OT).
Some 62% claimed they had suffered two or more damaging cyber-attacks over the previous two years, resulting in data breaches, and/or disruption and downtime. Half said they’d experienced at least one attack resulting in OT downtime.
For the year ahead, respondents are most worried about third-party risk (65%), IoT/OT-based attacks (63%), and downtime-causing OT attacks (60%).
A lack of visibility into the corporate attacks surface was cited by the vast majority (80%) as the top barrier to their ability to prevent threats.
A majority claimed skills shortages (61%) and a reliance on manual processes (55%) are major obstacles to assessing and remediating vulnerabilities effectively.
Some 70% claimed that improving communication with executives and board members is one of their governance priorities for 2019.
On the plus side, there are signs of growing maturity in this area. Nearly half of respondents (48%) said their organization attempts to quantify the damage to the business from cyber-attacks: an important element of a risk management approach.
Over half (60%) also claimed that C-level executives are most involved in the evaluation of this cyber risk.
“The issue with industrial systems is that many of them are old, 10-20 years old in some cases, and there is not necessarily a practical way to upgrade them due the criticality of their availability. Industrial networks were designed before cyber threats emerged and as a result, they lack the visibility and policy enforcement layers that enterprise IT networks have,” argued Exabeam co-founder, Sylvain Gil.
“We need more insight into the behaviors of these systems. They are rudimentary and were never thought to be vulnerable to people outside the operating facility — but they certainly are. We’ve seen enough examples that we know they can be manipulated, not just in terms of being used for cybercrime, but they can actually have physical consequences, as well, like a shutdown or explosion."
The report featured interviews with IT/OT and cybersecurity professionals in energy & utilities; health & pharma; industrial & manufacturing; and transportation sectors.