With industrial control systems (ICS) becoming more connected due to the introduction of operational technology (OT) and industrial internet of things (IIoT), the threat of a successful cyberattack causing major damage could now be a reality. So much so that a new study by Tripwire and Dimensional Research revealed that 66 percent of ICS security professionals now acknowledge that a successful attack could have catastrophic consequences such as an explosion.
The study surveyed ICS security professionals in manufacturing, energy and utilities, transportation and chemical industries and also revealed 93 percent are worried about cyberattacks causing operational shutdown or customer-impacting downtime.
Other key findings include:
- About half (49 percent) said that collaboration between IT and OT has improved over the past two years.
- More indicated that IT is taking the lead on ICS security (44 percent) vs. OT (14 percent); 35 percent said it is evenly split between IT and OT.
- More than three-fourths (79 percent) say there is a gap in training OT and IT staff on the unique needs and requirements for securing OT environments. Of those who made cybersecurity investments over two years (77 percent), education and training was the most common investment (82 percent).
- Only 52% have more than 70% of their assets tracked in an asset inventory.
- Almost one-third (31%) of organizations do not have a baseline of normal behavior for their operational technology (OT) devices and networks.
- Less than half (39%) do not have a centralized log management solution in place for their OT devices.
Whilst it is not too surprising that availability and plant up-time was a major concern, it was good to see that 77% have invested in this area in the past couple of years. Indeed, the industrial and operational technology sector is having to quickly wake up to the business challenge of cybersecurity risk
That 68% believe that it will take a significant attack to release more budget from their businesses is a sad indictment of how this risk is perceived and managed by many boards. I just hope that these companies have a decent response and recovery process as I can guarantee they will be subject to some form of cyber event or incident that will impact their OT systems in the future, whether they like it or not.