Operational Technology (OT) and critical infrastructure security are top of mind these days. Organizations recognize the importance of OT security but are still struggling to build a strategy that can counter today’s mounting threats. Fortinet recently conducted research on this topic, culminating in the 2022 State of Operational Technology and Cybersecurity Report . The findings give insight into what’s working, what’s not working and what’s next.
The good: High threat awareness
What’s improving, albeit slowly, is that 97% of global organizations now consider OT a moderate or significant factor in their overall security risk posture. As OT systems become more attractive to malicious actors, C-level executives understand the significance of safeguarding these environments to reduce risk to their companies. It’s also worth noting that 52% of organizations have the ability to track all OT activities from the security operations center (SOC)–that’s progress, but it’s still not enough since it means nearly half of organizations with OT remain blind to important information affecting OT security. A lack of centralized visibility contributes to risk and weakens an organization’s security posture.
While OT security is increasingly important to most survey respondents, there’s still progress to be made.
The bad: Who owns OT security?
Organizations are still wrestling with full protection of their operational technology (OT) assets. In the relatively new world of IT connected and Internet-accessible OT, the report reveals that collective OT security efforts by enterprises across the globe represent progress but remain insufficient to provide full protection of ICS and SCADA systems. The problem may be compounded because, unlike IT security, OT security ownership is not yet a C-level responsibility, but rather is still being owned by relatively low-ranking professionals. However, more executives are aware of and concerned about the security of OT systems.
While the CTO and CISO/CSO remain among the leaders who most influence cybersecurity decisions, the survey suggests that others in the C-suite are weighing in on cybersecurity. This year, 35% of respondents ranked the CTO among the top three security influencers – down from 50% last year. And 33% named the CISO/CSO to the top three, down from 45% in 2021. One-third of respondents picked the vice president or director of network engineering or operations as the person with ultimate responsibility for OT security. This is a significant rise above the previous year's percentage.
Roughly twice as many organizations now vest OT security responsibility with an operationally focused leader as they do with the CIO or CISO/CSO. The slow and incremental progress organizations reported in their security maturity in the past year has done little to improve actual security results. Consequently, the great majority of OT organizations continue to sustain breaches—often many times each year.
The ugly: A confluence of risks
What’s worse, this lack of impact on the number impact of OT security breaches is occurring even as OT security moves higher in many organizations’ risk portfolios. Security is seen as increasingly critical considering current realities: geopolitical events are increasing the likelihood of assaults, more OT systems are being connected to the internet, and threats are becoming more sophisticated and causing greater damage. In the previous 12 months, a staggering 93% of companies reported suffering an incursion, with 78% having more than three. Downtime, monetary or data loss, brand reputational damage and even impact on safety were all consequences. Most organizations, without a doubt, have more work to do.
Three action steps for stronger security
Organizations need to adopt a new three-pronged approach to OT security to meet the demands of today’s shifting threat landscape and changes in the interconnected OT-IT environment. First, put in place solutions that give OT a centralized view. Organizations should have centralized, end-to-end visibility of all OT activities in order to increase security. According to the survey, top-tier firms – the 6% of respondents who reported no intrusions in the previous year–were more than three times as likely to have such centralized visibility as their peers who had been hacked. Second, consolidate security solutions and providers to facilitate cross-environment integration.
Organizations should strive to combine their OT and IT solutions and to consolidate around a smaller number of providers to reduce complexity and obtain a centralized view of all devices—both IT and OT. Organizations can reduce their risk and improve their security and operational efficiency by using integrated security solutions. Third, use network access control (NAC) technology. Organizations that avoided incursions in the previous year were significantly more likely to have implemented role-based NAC, which ensures that only authorized individuals have access to essential systems and digital assets.
Set the stage for OT security success
Given current geopolitical events, governments are warning that they expect cyber-attacks on essential infrastructure and key economic assets to escalate. Centralized, end-to-end visibility, along with tool and vendor consolidation and NAC use, will set the stage for success. Additional best practices include using AI-based tools that enable predictive behavior analytics, and security orchestration and automation technologies to support zero-trust access operations. Collectively, these capabilities will help organizations protect themselves against threats from both malicious insiders, cybercriminals and state-sponsored attackers. These capabilities will also help organizations across a broad range of industrial sectors to mature their OT security more quickly.
