For all the worries and heartburn that critical IT networks cause for IT security leaders, the security concerns can be even greater for operational technology (OT) networks used in industry, according to a new study conducted of 1,000 IT security pros. In an interesting finding, some 74% of the survey’s global respondents reported they are more concerned about a cyberattack on critical infrastructure than an enterprise data breach within business IT systems.
SEE: Security Response Policy (TechRepublic Premium)
The report, “The Global State of Industrial Cybersecurity,” which includes responses from full-time IT pros in the US, UK, Germany, France, and Australia, found that business security leaders in the US are more concerned about the security of their industrial OT systems than are leaders in other nations. While 51% of the US respondents said they believe that today’s industrial networks are not properly safeguarded and need more protection, another 55% believe that US critical OT infrastructure is vulnerable to a cyberattack. The study was conducted in the fourth quarter of 2019 by Pollfish for OT and IT cybersecurity firm, Claroty.
The data also showed that global IT security professionals have a more positive overall outlook about their OT network security compared with their counterparts in the US. About 62% of the global IT respondents said they believe that industrial OT networks are properly safeguarded, compared to only 49% of US respondents. A majority of both US and global IT security leaders, however, reported that they believe a major successful industrial infrastructure cyberattack will come in the next five years in their respective countries–according to 63% of US respondents and 67% of global respondents.
Some 43% of global respondents said those attacks will likely come from hackers and unauthorized network access, while 33% said they will come via ransomware attacks, 14% said they will come from other malware attacks, and 10% from sabotage. Among US respondents, 56% said those attacks will likely come from hackers and unauthorized network access, while 21% said they will come from ransomware attacks. Some 12% said they will come from sabotage, and 10% said they will come from other malware attacks.
Dave Weinstein, Claroty’s chief security officer, told TechRepublic that the biggest surprise he sees in the study’s findings is that many global respondents feel that critical OT infrastructure networks are adequately protected and safeguarded from threats.
SEE: Cybersecurity: Let’s get tactical (free PDF) (TechRepublic)
“OT security is a new area of cybersecurity for most organizations, and while critical infrastructure owners and operators have made great progress in the last few years with reducing their cyber risks, most are still at the very beginning of what will be a long and continuous journey to maturity,” said Weinstein.
The higher confidence in OT security from global IT security leaders compared to those in the US is explainable due to varying cyberattack patterns around the world, he said. “IT and OT security practitioners all over the globe are increasingly aware of the changing cyber risk landscape. It’s possible that because IT professionals in the US are under a constant barrage of attacks–arguably more so than elsewhere across the globe–they view the situation through a slightly bleaker lens than the rest of the world.”
Weinstein said he is not, however, surprised that many respondents see OT cyberattacks on critical infrastructure as more dangerous than IT network attacks. Some 74% of the global respondents said they are more concerned about a cyberattack on critical OT infrastructure, compared to 26% who said they are more concerned about IT enterprise data breaches. Among US respondents, 65% said they are more concerned about OT attacks, compared to 35% who said they are more worried about enterprise data breaches.
“One of the distinguishing characteristics of OT attacks compared to IT attacks are the implications for safety,” said Weinstein. “OT is an environment where cyber meets physical, and therefore, cyberattacks against these systems can manifest themselves in hazardous and unsafe conditions for those on the plant floor and potentially beyond. Thankfully, there have only been a small number of dangerous attacks.”
For IT security leaders, managing an OT network’s security continues to be different than monitoring an IT network’s security, according to Weinstein. In OT networks, operators can’t just implement patches every day or discover devices or monitor traffic using traditional techniques or tools, he said. That’s because most of the assets on an OT network communicate using proprietary, vendor-specific protocols that can’t be easily parsed and understood, making traditional IT system approaches unusable.
“Most IT infrastructure was designed with security in mind,” he said. “Likewise, IT infrastructure is built for interconnectivity. The OT environment, by contrast, wasn’t originally designed to be secure, and it certainly wasn’t designed to be interconnected. When managing an OT network’s security, IT professionals must be cognizant of these fundamental differences and how they impact traditional security operations and policies.”
To better protect businesses from cyberattacks of all kinds, there needs to be an improved convergence of OT and IT security emphasis and strategies inside companies which rely on both kinds of networks, said Weinstein.
“First, you must gain deep visibility into precisely what is on your OT network and how those assets are behaving,” he said. “This critical first step includes understanding not just what is on the network, but also the communications happening between and among these assets.”
In addition, business security leaders must put in place mechanisms to bridge the cultural and communication divide between IT security professionals and OT and automation engineers, he said. “This collaboration will be critical down the road. And finally, build a roadmap that culminates in harmonizing the continuous security monitoring of the IT network with that of the OT network. This evolution won’t happen overnight, but it is a critical milestone for ultimately closing the IT-OT security gap.”