Attacks against operational technology (OT) and industrial control systems (ICS) grew dramatically in the past few years. Indeed, a 2020 report found that digital attacks against those two kinds of assets increased by over 2000% between 2018 and 2020. Many of those attacks involved vulnerabilities in Supervisory Control and Data Acquisition (SCADA) systems and other ICS hardware components or password spraying techniques.
These types of security incidents are dangerous, as malicious actors can potentially misuse affected OT and ICS systems to disrupt critical national infrastructure (CNI). The power grid, interstate highways and water treatment plants are all examples of CNI in that they’re all essential to a country’s national security and that nation’s public safety. Notwithstanding their importance, teams have run into some challenges with securing CNI in the past.
This raises some important questions. How prepared are CNI organizations to defend themselves against digital attacks? What are the risks they face? And what are they doing to overcome them?
To answer those questions, Bridewell Consulting commissioned independent research organization Censuswide to conduct research among 250 UK security and IT decision-makers (ITDMs) across aviation, chemicals, energy, transport, and water. Those individuals’ responses illuminate how CNI organizations are feeling about their OT/ICS security. They also reveal areas where organizations can focus their time and money to better defend themselves going forward.
A Lack of OT Security Confidence
Bridewell Consulting found in its survey that many respondents were concerned about their employer’s OT system security. One-fifth of survey participants said that they weren’t confident in those efforts at their workplace. Specifically, 16% said they were “not very confident,” while 4% admitted they were “not confident at all.”
The reality is that CNI organizations face many digital risks. Take legacy systems, aging OT assets that are years if not decades old and that lack safeguards to defend against today’s security threats. The problem is that CNI organizations’ legacy systems aren’t getting any younger. On the contrary, 79% of respondents said that their organizations’ OT systems were over five years old. About a third (34%) said that they were at least 10 years old.
There’s also the risk of increasing digital connectivity. Like entities in other sectors, CNI organizations are undergoing digital transformations to streamline their operations, improve productivity and save costs. This involves connecting OT assets to the corporate network and to the Internet. Indeed, just 42% of respondents said that their OT/ICS environments weren’t accessible over the web; half of those had plans to make them accessible at some point in the future. Meanwhile, 84% of respondents said that their employers’ OT/ICS environments were already connected to the corporate network.
Together, these conditions increase the risk of malicious activity such as digital attacks, malware, physical security incidents, social engineering techniques and terrorism. That risk isn’t theoretical, either. A majority (86%) of ITDMs and security decision makers told Bridewell Consulting that they had detected digital attacks in their OT/ICS environments in the previous 12 months, with an average of nine attacks detected per organization. Of those respondents, 93% admitted that their employer had experienced at least one successful digital attack in the same span of time. About a quarter (24%) of them said that they had suffered more than five successful digital attacks during the year.
Many of those digital attacks bore expected consequences for their victims. The most common effects were financial penalties (27%), downtime (23%) and dismissal of an employee (23%). In some cases, however, CNI organizations reported even greater costs such as an increased risk to national security, loss of life and environmental damage at 19%, 16% and 15%, respectively.
Where CNI Organizations’ Digital Security Efforts Are Currently
CNI organizations aren’t oblivious to these digital security risks. That’s why when asked about the next 12 months, 28% of respondents told Bridewell Consulting that they were going to focus on introducing new methods of security testing. The same proportion of survey participants said that they were going to invest in digital security technology, while slightly fewer (27%) disclosed that they were going to focus on more regular patching and updates.
Those initiatives could translate into a significant change for some CNI organizations compared to what they’re doing now. Indeed, less than half of ITDMs and security decision makers said that they were carrying out penetration testing, risk assessments, red/blue/purple team assessments and other security assurance activities at the time of the survey. With new technologies and testing schedules in place, organizations could help to strengthen their defenses against the sources of malicious activity discussed above.
Even so, this needs to be done in a way that doesn’t add undue stress on security professionals who are already exhausted. A majority (85%) of decision makers said that they felt increasing pressure to improve their OT/ICS security controls within the past year. That pressure amounted to heightened stress for 47% of those respondents. Slightly fewer than that (41%) said that they had experienced burnout that led them to be absent from the business, while over a quarter (28%) of survey participants revealed that they had decided to resign.
Where This Leaves CNI Organizations Going Forward
CNI organizations can strengthen their digital security while minimizing the stress placed on security teams by working with a third-party services provider. As Bridewell Consulting explained in its survey:
A partner versed in cyber security best practice will be able to identify threats and vulnerabilities, provide independent advice and recommend remediation plans tailored to the organization and its unique requirements. The right partner will also be able to provide specialist cyber security skills to plug resource and knowledge gaps that are set to become a growing problem. One thing that is clear: the safety and longevity of CNI organizations will be at risk without urgent and vital improvements to their cyber resilience.
Specifically, CNI organizations might consider looking for partners who can help them to discover all their network assets. They can then use that insight to harden their systems and detect misconfigured devices. At that point, the partner can help those entities to monitor their network and systems for potential problems.
Learn how to augment your CNI organization’s OT/ICS asset security.