Ponemon Institute study Cybersecurity in Operational Technology: 7 Insights You Need to Know shows the extent cyberattacks experienced by critical infrastructure operators, based on a survey of professionals in industries using industrial control systems (ICS) and operational technology (OT). Among key findings, security professionals in six countries revealed that 90% had been hit by at least one successful attack.
If you're tuning into the @BBCClick's interview with Tenable's Eitan Goldstein, he is going to be sharing the key findings from the latest @PonemonPrivacy report, sponsored by us. Find the full report here to read through post-interview! https://t.co/4P2EZky1xK #bbcclick #OT
— Tenable (@TenableSecurity) April 6, 2019
Experts Comments:
Byron Rashed, VP of Marketing at Centripetal Networks:
As noted, attacks continue to be successful due to the lack of cybersecurity teams to keep up with the attack surface. Organizations and various verticals are under constant attack by threat actors and highly organized cybergangs that are looking to monetize their malicious actions, and in critical infrastructure organizations the impacts of such attacks can be truly devastating. In many cases, such attacks are nation state driven or inspired.
Cybersecurity teams need to concentrate on the unknown rather than the known. By blocking know adversary nation states that target critical infrastructure (using geo blocking), and inbound/outbound traffic from known malicious sources, a CI organization will greatly increase their cybersecurity posture and enable their cybersecurity teams to concentrate on the unknown (zero-day, etc.) and increase the efficacy of the security stack in gaining the upper hand. Most breaches come from sources that are known to be malicious. Shifting to a blocking strategy will greatly mitigate risk.
George Wrenn, CEO at CyberSaint Security:
“Increasing communication up to the C-Suite and Board of Directors about cybersecurity threats is the top priority for 2019, and it’s no surprise why. The C-Level and Board of Directors are now responsible for knowing the risks across the business whether operational, reputational, or financial. As threats become more and more apparent, it will be necessary for the CIOs and CISOs of every organization to communicate cybersecurity risk and the company’s cybersecurity posture in a language that the Board and other non-technical stakeholders can understand and communicate to the public credibly if necessary.
“Another trend emerging here is validated, and that trend is that communicating cybersecurity risk via credible metrics is critical for the modern-day business. As nearly half of organizations to date attempt to quantify cybersecurity risk, it’s clear that this approach is only becoming more common, and necessary, to bridge the communication gap between financial, business, and security leadership.
“What most Boards and C-Levels may not know, however, is a single glaring issue that discredits these initiatives — most Boards and C-Suite do not know that their cybersecurity teams are relying on spreadsheets to keep track of their company’s data, and score their business with cybersecurity best practices. This report highlights this, saying that gaining required visibility will continue to be an issue because of heavy reliance on manual processes. The issue with this method? Compliance and risk data entered into a spreadsheet is invalid the moment that the assessment is complete – there is no real-time management of this data, nor a means to report on it credibly.
“When I was CSO at a Fortune 500, I faced the same problems – so much so that it caused me to build a product to help other CSOs, CISOs, and CIOs facing these issues. Together, cybersecurity leadership and business leadership must wake up to the inefficiencies at the operational level that inherently discredit their own reporting, posture, and are a barrier to the visibility they need. By adopting the automated, intelligent integrated risk management approach, security and business leaders will continue to move towards metrics and efficiency to facilitate better decision making, streamlined communication, and cybersecurity resilience.”
Paolo Emiliani, Industry and SCADA Research Analyst at Positive Technologies:
“As this report from Ponemon highlights, the threat against key infrastructure is extremely high and the risk of attack is growing as more components are added to industrial networks. Over the past few months alone, our researchers have uncovered vulnerabilities in components such as industrial switches and PLCs, even those created by major vendors such as Siemens, Phoenix, and Moxa. One vulnerable component can mean the compromise of an entire industrial network. This is why these figures show that half of successful attacks result in downtime.
“Another way that hackers can compromise industrial networks is through corporate information systems, which are easier to hack. Our research has shown that this is possible in 73 percent of cases, sometimes even in the most trivial of attacks, such as using known passwords. Ultimately, the protection of critical infrastructure is a wholly different beast to traditional cyber security. The stakes are far higher, and each component on the network has to be weighed up against the risks of exploitation. The desire to add smart devices, sensors and IoT to networks is understandable but ultimately organisations have to acknowledge that hackers are out there and will try to undermine these devices to break in.”
Sylvain Gil, Vice President Products & Co-founder at Exabeam:
“The issue with industrial systems is that many of them are old, ten to twenty years old in some cases, and there is not necessarily a practical way to upgrade them due the criticality of their availability. Industrial networks were designed before cyber threats emerged and as a result, they lack the visibility and policy enforcement layers that enterprise IT networks have. We need more insight into the behaviours of these systems. They are rudimentary and were never thought to be vulnerable to people outside the operating facility – but they certainly are. We’ve seen enough examples that we know they can be manipulated, not just in terms of being used for cybercrime, but they can actually have physical consequences, as well, like a shutdown or explosion.”
Tony Atkins, Regional Director at Nozomi Networks:
“The figures don’t surprise me, they emphasise the lack of maturity of the vast majority of organisations from an OT perspective and the insufficient resources, infrastructure and process to cope with the rapidly changing threat landscape.
Threat actors often share what they are doing amongst themselves in order to improve their attacks but I feel that organisations do not do the same because of cultural and individual behavioural challenges, such as fear of being seen as a failure or fear of reputational damage. Such intelligence however is crucial to the community in order to better understand the Tactics, Techniques and Procedures used by the threat actors
The adoption of the NIS Directive should help to support improved reporting. The increased adoption of AI and ML based tools in such areas of OT visibility, OT asset inventory etc. will help to reduce some of the human resource burden.”
