Ponemon Institute is pleased to have conducted the research behind the recent report Architecting the Next Generation for OT Security, sponsored by Applied Risk. I’ve included the executive summary of the report in this month’s column. The full report can be downloaded from the Applied Risk website.
“This is a time of change and challenges,” the Applied Risk report begins. “It’s an era that is both transformative and disruptive, shaped by digital technologies that are improving billions of lives around the world, even as they make us vulnerable in ways we never anticipated.
This digitalization has been a fact of life for quite some time, but it is also becoming a factor in the operation of critical infrastructure and other industrial environments at an accelerating speed. At the same time, the Operational Technology (OT) systems that monitor and control industrial equipment, assets, processes and events in critical infrastructure are facing more and more threats from increasingly sophisticated malicious actors, including nation-states.
“In this dynamic environment, it is important to understand the thoughts and concerns that drive organizations to take action to keep their OT domains safe, secure and resilient. Applied Risk has undertaken the research needed to gain that understanding and to take a forward-looking approach to crucial questions about how to architect the next generation of OT Security solutions.
“The report, entitled “Architecting the Next Generation for OT Security,” is based on data collected by the Ponemon Institute from more than 1,000 IT and OT Security practitioners in the United States and Europe. The research was then complemented by input from the knowledge and experience that Applied Risk’s team has accumulated over the years, as well as analysis from the company’s own subject matter experts (SMEs).
“In this document, we present the results of that research. We use these data to assess current trends in the OT Security space, paying special attention to people-, process-, and technology-related issues, and offer recommendations on responses to these trends. Additionally, we describe current conditions in the OT Security realm and offer insight into the OT Security trends that are likely to emerge over the next two to four years.
“Respondents to the survey were asked to answer questions about how to architect the next generation of OT Security solutions. All respondents have responsibility for securing or overseeing cyber risks in the OT environment and understand how these risks impact the state of cyber security within their organizations. The research was then complemented by input from Applied Risk’s own engagements and assessments as well as analysis from our subject matter experts.
“Maximizing safety and minimizing unplanned outages are the top operational priorities for the organizations represented in this research. Reducing inefficiencies and minimizing operating costs are also high priorities, as is the ability to maintain plant connectivity. Respondents see the convergence of IT and OT systems as one of the primary drivers toward meeting these organizational targets. At the same time, though, they note that attackers are focusing more and more on industrial environments and are quickly developing OT skills – and that this shift has resulted in more sophisticated and clandestine attacks.
“The results of the survey indicate that companies are struggling to develop their OT Security maturity at a pace comparable to the speed with which attackers are developing their own skill sets. Meanwhile, the OT landscape is becoming more complex due to IT/OT convergence and to the introduction of Industrial Internet of Things (IIoT) devices, virtualization, and cloud computing in these environments. The overall sense of the respondents is that they need to do more to ensure that the business benefits of these new technological developments can be realized in a secure manner.
“More than half of the respondents believe that their cyber readiness is not at the right level yet and that they are not able to adequately minimize the risk of cyber exploits and breaches in the OT environment. As such, it is clear that there is still work to be done in general and across the board. The respondents are aware that they need to upskill their staff and that of their service providers and that they need better procedures. But above all, they understand that they will need enabling technologies to accelerate OT Security maturity. In summary, a combination of people-, process-, and technology-centric controls will remain key.”