Across industries, owners and operators of critical infrastructure (CI) continue to converge the cyber and physical aspects of their businesses. This merger has enabled more efficient and effective monitoring of critical processes, as well as the ability to virtually leverage data from enabled sensors, industrial applications (including robotics), medical devices and software-defined production processes. This range of capabilities, better known as the Industrial Internet of Things (IIoT), affords decision making in real-time and significant cost savings in terms of power consumption and employee efficiency.
Despite these benefits, organisations must also understand the potential security risks they are facing as IT and Operational Technology (OT) departments and their respective support systems converge. Absent an effective OT security plan, ICS/SCADA systems are left vulnerable to cyberattacks that could result in financial loss, reputational damage, diminished consumer confidence and even threaten the safety of citizens and national security.
Arguably, the protection of the OT enterprise and integrated ICS/SCADA systems can hardly be understated. There is an absolute dependence on safe and sustained operations that span everything from Manufacturing to Energy and Utilities to Transportation infrastructure – these OT vertical sectors comprise and deliver a range of services that citizens around the globe count on daily. The advent of executive-level commitment to digital transformation strategy and proportional operational efficiency gains has materialised a significant range of cybersecurity concerns as these historically air-gapped systems are now exposed to cyber risks and a broader attack surface.
This commitment to OT system efficiency, in turn, raises the bar for OT Security standards, making it more difficult than ever for organisations to adequately protect their high-value cyber-physical assets. With this in mind, Fortinet and Forrester have come together for a third time to survey industry leaders who manage and maintain OT infrastructure. Overall, the purpose of this report is to identify and illuminate the security trends and practices that impact operations and demand security strategy and investment.
Here are key findings from the latest report.
OT security breaches are anything but rare
OT security breaches are taking place at distressing rates. Among those surveyed for this study, only 10% reported that they have never experienced this type of threat. In contrast, 58% of organisations surveyed have had a breach in the past 12 months and as a result, more than three-quarters expect regulatory pressure to increase over the next two years. In fact, if you expand the period of consideration to 24 months, the breach rate rises to 80%, illustrating that OT systems are indeed cyber adversary targets of primary interest.
It is no surprise, then, that there has been a strong drive to commit greater resources on security – 78% plan to increase their ICS/SCADA security budgets this year.
Organisations are moving purposefully toward IT-OT convergence
OT systems traditionally thought to be “hardened” by an air-gap are often built upon legacy software and hardware and life cycles can be measured in decades. Naturally, one significant take away from the move to converge IT and OT networks is the expansion of an attack surface that enables access to an environment where vulnerabilities exist. Indeed it is the very pursuit of operational efficiency through IT/OT convergence that resulted in broad connectivity and exposure to more traditional IT threats. This connectivity not only brings added risk but more likely opens the door for cybercriminals in a way that was not possible when these systems were isolated.
Concerns over the complexity of converged IT/OT systems were also noted in the survey. Almost all respondents (96%) foresee challenges as they move toward convergence, resulting in deliberate, careful movements that centre on concerns around security. Among the respondents, more than one-third reported worrying about the following OT security challenges:
Finally, compliance has become a growing concern for those managing OT systems. Seven in ten report mounting compliance pressures over the past year and 78% feel this trend will continue for the next two years. According to the report, the regulations making the most significant impact are:
One source of risk associated with IT-OT is the added exposure of infrastructure to business partners. Granting appropriate privileged access to the appropriate personnel is critically important. The Fortinet/Forrester Research study found those organisations that were most successful with securing their environments were also 129% more likely to severely limit or even deny access to their business partners.
Similarly, they were also more careful about allowing access to IT providers, granting only moderate access. Finally, these top-tier organisations were 45% more likely to keep certain security functions in-house rather than outsourcing them. However, they are also more likely to have outsourced network analysis and visibility.
So, what does this all mean? Partners – and the types of relationships that organisations form with them – are meaningful. Granting the appropriate access, making the best outsourcing decisions and identifying situationally-ready partners will be vital to securing OT systems amid digital transformation.
As industrial systems continue to evolve, OT and cybersecurity leaders are faced with new challenges that have led to new priorities. Due to the complexity of IT/OT convergence, organisations have been deliberate in their adoption of processes to avoid data leakage or other modern threats. To appropriately protect their high-value cyber-physical assets, those who manage and maintain critical infrastructure must keep abreast of the latest security trends, especially those related to IT/OT convergence and understand how to secure their migration into this broader, digitally transformed landscape.
By Rick Peters, Operational Technology Global Enablement Director at Fortinet