There is growing awareness and concern that the increasing sophistication and severity of the various types of potential cyberattacks against the OT environment are putting the critical infrastructure that everyone depends upon at serious risk. In some cases, these incidents could lead to the loss of human life. In 2021, a ransomware attack against the Colonial Pipeline directly impacted Americans on the east coast who were confronted with the disruption of fuel supplies.
(To access a webinar Larry participated in about this research, click this link).
In response to such threats, the Cybersecurity & Infrastructure Security Agency (CISA) has recently announced a pilot program “designed to deliver cutting-edge cybersecurity services on a voluntary basis to critical infrastructure entities most in need of support”.
As defined in the research, OT is the hardware and software that monitors and controls devices, processes and infrastructure and is used in industrial settings. OT devices control the physical world while IT systems manage data and applications. Sponsored by Cyolo, the purpose of this research is to learn important information about organizations’ security and control procedures designed to mitigate serious risks in the OT environment. All respondents are knowledgeable about their organizations’ approach to managing OT system access and risk. The average annual IT security budget is $55 million and an average of $11.5 million of the budget is allocated to OT security activities.
Uncertainty about the number and types of assets in OT environment puts organizations at significant risk. A key takeaway from the research is that organizations lack visibility into the industrial assets in their OT environment making it difficult to ensure they are secure from potential cyberattacks. Only 27 percent of respondents say their organizations maintain an inventory of the industrial assets in their OT environment. Worse, 38 percent of respondents say their organizations have an inventory, but it may not be accurate or current.
Following are findings that illustrate the importance of aligning IT and OT priorities and improving communication between the two functions.
The lack of alignment between the IT and OT can result in conflicting priorities about the importance of securing the OT environment despite the risk. As shown in the findings, secure access is a very or high priority in only slightly more than half of respondents (51 percent) and only slightly more than half (55 percent of respondents) say their organizations are very effective (33 percent) or highly effective (22 percent) in reducing risks and security threats.
Without regular communication between IT and OT teams, the goal of collaboration and alignment is difficult to achieve. Collaboration between the two teams is critical to ensuring consistent policies and processes are in place to secure access between IT and OT systems. However, only 39 percent of respondents say collaboration between the two teams is significant. Thirty-eight percent of respondents say the only time the teams communicate is on an ad-hoc basis (19 percent) or when a security incident occurs (19 percent). Only 16 percent of respondents say the teams communicate daily (6 percent) or weekly (10 percent).
OT and IT teams share responsibilities without regular communication. As discussed above, more regular communication is needed. OT cybersecurity responsibilities are mostly shared by the IT and OT teams (39 percent of respondents). Thirty-two percent say IT is solely responsible for managing the OT environment and 30 percent say OT is solely responsible for managing the OT environment.
Communication with senior leadership and boards of director is also rare and may contribute to respondents’ concerns about having the allocation of needed resources. Thirty percent of respondents say senior leadership and/or board members are updated on the OT security posture, policies and practices in place on an ad-hoc basis. Only 23 percent say they communicate frequently (10 percent say monthly and 13 percent say quarterly). Without being briefed on a regular basis, it may be difficult to convince senior leaders of the importance of increasing budget and in-house expertise.
Organizations are making progress in achieving secure connectivity between IT and OT systems. Most organizations (81 percent) say they have a goal of achieving convergence to be able to transmit data in one or both directions. Thirty-three percent of respondents say their organizations have established policies, tools, governance and reporting in place to control and monitor connectivity between IT and OT systems. Another 24 percent of respondents say that they have some policies in place to govern access between IT and OT systems.
Securing the OT infrastructure is the responsibility of senior executives in the OT and IT. The two roles most involved in securing the OT infrastructure are the OT Vice president/Director (32 percent of respondents) and the CIO or CTO (29 percent of respondents). To strengthen the security posture in the OT environment, close collaboration between these two roles is needed and includes the deployment and integration of traditional IT security solutions as well as Industrial control systems (ICS) protocols and assessments.
The following findings illustrate the progress being made in IT/OT convergence.
To advance IT/OT convergence, more organizations should adopt a blend of IT and OT security solutions. When asked how their organizations plan to introduce new tools to better secure the OT infrastructure, only 32 percent of respondents say their organizations are using a blend of IT and OT security solutions and 19 percent of respondents say they plan to expand existing IT security solutions to secure the OT infrastructure.
Convergence is considered important, but organizations are concerned about its impact on the OT environment. While IT/OT convergence can improve connectivity and the OT environment, more than half of organizations represented are very or highly concerned about the impact of convergence on the availability of IT systems/services (52 percent of respondents) and the safety and uptime of the OT environment (56 percent of respondents).
Convergence is considered to reduce security risks and improve the ability of IT and OT teams to collaborate. The benefits when IT/OT connectivity is increased includes a reduction in security risks (59 percent of respondents), improvement in the ability of IT and OT teams to collaborate (57 percent of respondents) and to respond to unplanned asset downtime quickly (38 percent of respondents).
To achieve convergence, organizations need to have the budget, ability to ensure security and have collaboration between the IT and OT teams. The top three challenges to connecting IT/OT environments is the lack of budget (42 percent of respondents), security risks (35 percent of respondents) and siloed teams (32 percent of respondents. Those organizations that have no plans for connectivity blame the lack of budget, siloed teams and pushback from the OT team.
The following findings reveal the steps needed to improve secure access to the OT environment by internal teams and third parties.
The OT environment is heavily regulated and should drive investments in security solutions and in-house expertise to reduce risks and security threats. Eighty-one percent of respondents say their organizations must comply with regulations today (59 percent) or in the future (25 percent). Noncompliance can potentially result in costly fines.
The ease of accessing the OT environment by both internal teams and third parties using current tools does not receive high marks. Access is important to be able to extend IT and security tools into OT environments, to observe processes and/or check sensors and increase productivity. However, only half of respondents (49 percent) say the access experience is positive. Similarly, only 43 percent of respondents say vendors/third parties experience accessing OT systems with current tools is very good or excellent.
The importance of third parties in maintaining and supporting OT/ICS environments should make securing their access a priority. Third parties include all types of external suppliers, partners, service providers and contractors who perform important work for the organization but are not direct employees. Because of the complexity and specialized systems in the OT/ICS environments it is important to have third parties who can provide product/system support and maintenance.
According to the findings, an average of 77 third parties/vendors are authorized to connect to the OT systems represented in this research. Of the 73 percent of respondents who say their organizations permit access to the OT environment, 30 percent say they limit vendor/third-party access to on-site and 43 percent of respondents say third parties can access both on-site and remote. Only 27 percent of respondents say their organizations do not allow third party access.
Organizations need to address the risk of third parties’ unauthorized access. Forty-four percent of respondents say the top challenge is preventing unauthorized access and 40 percent of respondents say it is to keep third party access secure. Another top challenge is the lack of alignment between IT and OT security priorities regarding third party risks.
Allowing third party access is needed to maintain operations and prevent downtime, but there should be greater awareness and attention to potential risks. Only 44 percent of respondents say their organizations are very or highly concerned about vendors/third parties accessing its OT environment.