Most IT and security leaders in critical infrastructure (CNI) organizations are underestimating the scale of the cyber-threat, despite having suffered breaches over the past three years, according to Skybox Security.
Cybersecurity vendor, Skybox Security, polled 179 operational technology (OT) security decision-makers in the US, UK, Germany, and Australia with most hailing from companies with $1bn or more in revenue from the manufacturing, energy, and utility industries.
The study found that 73% of CIOs and CISOs are "highly confident" their organizations will not suffer an OT breach next year, despite 83% having suffered such an incident over the past 36 months.
Tellingly, just 37% of hands-on plant managers were similarly confident, highlighting the disconnect between perception and reality at a senior decision-making level.
A third (34%) of respondents also appeared to be over-relying on insurance as a security ‘strategy,’ claiming it is a sufficient solution.
However, some did recognize escalating cyber-threats. Two-fifths (40%) noted that supply chain/third-party network access is one of their top three security risks, but less than half (46%) said their organization has a third-party access policy applicable to OT.
Silos and tech complexity also weighed heavily on respondents: 78% said multi-vendor environments make it more challenging to secure their organization and half (48%) complained of disjointed architecture across OT and IT environments.
A further 40% said IT-OT convergence was a top-three risk. As legacy OT technology is enhanced with connectivity, it becomes exposed to internet-based threats capable of exploiting unpatched systems. Patching can be problematic on OT kit as much of it is mission critical and there are compatibility issues with legacy apps and operating systems.
Skybox Security Research Lab threat intelligence lead, Sivan Nir, argued that new OT vulnerabilities were up 46% compared to the first half of 2020.
“Despite the rise in vulnerabilities and recent attacks, many security teams do not make OT security a corporate priority. Why? One of the surprising findings is that some security team personnel deny they are vulnerable yet admit to being breached,” he added.
“The belief that their infrastructure is safe — despite evidence to the contrary — has led to inadequate OT security measures."