In industries such as manufacturing, distribution and energy, technical evolutions are transforming operations and driving innovation. And at the same time, devices, endpoints, and networks across both IT and operational technology (OT) environments are more connected than ever. With this comes many benefits for businesses, but it’s also important to recognize the security implications of IT/OT convergence.
Independent research conducted by Fortinet surveyed industry leaders who manage and maintain OT infrastructure. This article will outline some of the defining security trends and practices that impact operations and demand an effective security strategy.
As operators of critical infrastructure (CI) continue to converge the cyber and physical aspects of their businesses, many have achieved more efficient and effective monitoring of critical processes, as well as an increased ability to virtually leverage data from enabled sensors, industrial applications, medical devices, and software-defined production processes. This range of capabilities, better known as the Industrial Internet of Things (IIoT), affords decision making in real-time and significant cost savings in terms of power consumption and employee efficiency.
However, the challenges of securing industrial control systems (ICS) against cyber threats continues to dominate the everyday to-do lists of OT teams. Absent of an effective OT security plan, these systems are left vulnerable to cyberattacks that could result in financial loss, reputational damage, diminished consumer confidence, and even threaten the safety of citizens and national security.
With the rise of IIoT and subsequent IT/OT convergence, industries have lost the “air gap” that historically protected OT systems from hackers and malware. OT systems that were traditionally built upon legacy software are much less likely to be patched, and the convergence with IT is resulting in the expansion of an attack surface that enables greater access to an environment where vulnerabilities exist. This connectivity not only brings added risk, but also opens the door for cybercriminals in a way that was not possible when these systems were isolated.
1. The most common IT/OT security concerns
With this in mind, the survey found that 96 percent of respondents foresee challenges as they move toward IT/OT convergence. As a result, these organizations have taken deliberate, careful movements to better protect these connected systems. Among the respondents, more than one-third reported concerns about the following OT security challenges:
- Third parties lack security expertise needed to assist with converged technology and IoT
- Sensitive or confidential data will be leaked
- If and when a breach occurs, organizations are not able to accomplish isolation or containment
- Organizations are facing increased regulatory pressures for ICS
In addition, compliance has become a growing concern for those managing OT systems. 70 percent of respondents reported mounting compliance pressures over the past year, and 78 percent feel this trend will continue for the next two years. According to the report, the regulations making the most significant impact are:
- The EU Data Protection Directive (GDPR)
- International Society (ISA) Standards
2. The rise of OT security breaches
The rate of cyberattacks on OT infrastructure is increasing, and these breaches are causing real damage. For example, in 2020 we have seen the appearance of the ‘Ekans’ ransomware, which specifically targets ICS systems in the industrial space.
Among those surveyed for the study, only 10 percent reported that they had never experienced this type of threat. In contrast, 58 percent of organizations surveyed have suffered an OT breach in the past 12 months, and as a result, more than 75 percent expect regulatory pressure to increase over the next two years. If this period of consideration is extrapolated to 24 months, the breach rate rises to 80 percent, illustrating that OT systems are indeed cyber adversary targets of primary interest.
It is no surprise, then, that there has been a strong drive to commit greater resources on security, with 78 percent planning to increase their ICS security budgets this year.
3. Security measures remain a challenge for OT leaders
The study also found that between 36 percent and 57 percent of organizations lack consistency when it comes to measuring items on a list of standard metrics. Among the most commonly tracked and reported areas are vulnerabilities (64 percent), intrusions (57 percent), and cost reduction resulting from cybersecurity efforts (58 percent). Conversely, less than half of surveyed organizations (43 percent) are known to report on tangible risk management outcomes, and 39 percent to 50 percent do not routinely share basic cybersecurity data with senior executive leadership.
Respondents also cited security analysis, monitoring, and assessment tools as among the most essential features in security solutions, with the majority (58 percent) ranking these specific attributes in the top three. Despite the prioritization of these features, however, 53 percent reported that security solutions hinder operational flexibility and half reported that they create more complexity.
4. Protecting business partners
As security concerns for OT infrastructure rise, it’s important for businesses to also consider the implications for their partners. To prevent breaches impacting third party organizations, it’s critical that businesses grant limited and privileged access to appropriate personnel only.
The study found that the organizations that were most successful with securing the OT environment were also 129 percent more likely to severely limit or even deny infrastructure access to their business partners. Similarly, these businesses were 45 percent more likely to keep certain security functions in-house rather than outsourcing them.
Protecting the OT enterprise is crucial to business success. As industrial systems continue to evolve, OT leaders are faced with new security challenges that have led to new priorities. To appropriately protect high-value cyber-physical assets, those who manage and maintain critical infrastructure must keep abreast of the latest security trends, especially those related to IT/OT convergence, and understand how to secure their migration into this broader, digitally transformed landscape.
Adrian Louth, Operational Technology Cybersecurity Business Development, Fortinet