This week, as part of the PAS OptICS conference, we released the results from our OT Cybersecurity Readiness survey conducted during September and October 2020.
The topline finding from the survey is that a substantial majority of responding organizations are inadequately prepared for an operational technology (OT) cyber attack with only 15% saying there are highly prepared for such an attack with the other 85% indicating less than a high level of preparedness.
But before discussing the results further, let’s review the survey demographics.
The PAS OT Cybersecurity Readiness survey was fielded to industrial contacts known to PAS as well as promoted on social media via the PAS corporate accounts on LinkedIn and Twitter. (93% of the respondents were sourced from known PAS contacts with 7% sourced via social media which may include both existing PAS contacts and those who are not). All respondents were required to confirm that they are directly involved in either business or technical decisions related to OT cybersecurity. Those who did not attest to direct involvement in either types of decisions were disqualified.
Qualified respondents represented a broad cross-section of geographies, industries, and company sizes, specifically:
- Geography – North America (41%), Asia-Pacific (24%), Central and South America (15%), Middle East (12%) and Europe (9%)
- Industries – Oil & Gas including Petroleum Refining and Petrochemicals (50%), Power Generation & Utilities (15%), Chemical Processing (12%), Mining & Metals (9%), Pulp Paper & Wood (4%), Discrete Manufacturing (2%), Agribusiness (2%), and other industries (7%)
- Company sizes – Less than 500 staff (24%), 10001 to 25000 staff (16%), 501 to 1000 staff (16%), 5001 to 10000 staff (13%), 2501 to 5000 staff (12%), 1001 to 2500 staff (9%), 25001 to 50000 staff (6%), and greater than 50001 staff (4%)
The total number of respondents was 132. As such, we found the respondents to be a good representative sample of the global industrial market.
Only 12% indicate OT cybersecurity risk is low
Regarding their assessment of the overall OT cybersecurity risk level, only 12% of respondents indicated they see the risk as low with 44% indicating medium risk, 24% high risk, 9% very high risk and 12% unsure. This is indicative of a recognition by the survey respondents that the cyber risk to OT is real with a combined one-third putting that risk at a high/very high level.
Human Error, Nation States, and Digital Transformation top the list of OT cybersecurity threats
In terms of ranking various cybersecurity threats, respondents indicated that Human Error topped the list at #1. The risk to process safety from human error has long been seen as the leading risk area in the industrial sector and it is interesting to see how this now carries over to cybersecurity as well. Errors introduced through opening of ports, misconfiguration of settings, failures in patching, and more – through no malicious intent on the part of staff – are clearly top of mind as major OT cybersecurity risks.
Ranked a close second and third are the cyber risks associated with Nation-States (cyber espionage or cyber warfare) and Digital Transformation (e.g. deployment of technologies such as 5G, Industrial IoT devices, and Cloud systems & data). The number of published reports related to active nation states continues to grow with high-profile examples dating back now several years (e.g. Stuxnet, Triton/Trisis) and more recent examples related to targeted attacks on public utilities such as power grids and water systems. Anecdotal conversations with customers in 2020 also indicate a rise in the threat risk associated with cyber espionage and the attempted or successful theft of intellectual property.
The industrial sector has long valued the Purdue model for the isolation of different systems within OT and corporate networks. The introduction of digital transformation technologies has upended that traditional model with the ability for Level 0 and Level 1 devices to communicate to corporate data lakes and decision support systems sitting at Level 4 on the corporate network or Level 5 connected to the public internet (e.g. cloud-based). Thus, is it not surprising to see how high Digital Transformation ranks as a cyber risk threat. A balance needs to be struck between the benefits of Digital Transformation and the risks. With the desire of executive teams to pursue Digital Transformation initiatives only increasing, teams are hard-pressed to justify slowing down such efforts to mitigate risk. This is an area where more proactive identification or risks is an imperative.
Remote Work (due to COVID-19 or other factors) was ranked fourth, followed by Criminal Activity in fifth place and, rounding out the list in sixth place, Internal Malicious Actors. COVID-19 has presented the industrial sector with unprecedented acceleration in the need for remote work and operations. Many industrial organizations have been testing and expanding remote operations capabilities for years, but it has been at a slow pace. COVID-19 has dramatically accelerated the reliance on remote staff to manage day-to-date plant operations. Based on numerous conversations with PAS customers, this led initially for many organizations to expand remote access, sometimes even directly over VPN or via jump boxes to the industrial controls systems at the heart of the plant. What we are now seeing is a more judicious evaluation of the risks of expanded access and increased fine-tuning of who needs access to which systems and whether alternative methods can be used to manage remote operations without expanding the attack surface (e.g. relying on a copy of configuration settings maintained in a product like PAS Automation Integrity rather than directly exposing access to the control system).
Industrial organizations are inadequately prepared for increasing OT cyber attacks
Only 15% of survey respondents indicated they have a high level of preparedness for an OT cyber attack with 54% indicating a medium level of preparedness and a surprisingly large 27% indicating a low level of preparedness with a final 4% unsure of their level of preparedness. Given it has been several years now since some of the early high-profile industrial cyber attacks, to see nearly 3 out of 10 organizations indicating a low level of preparedness was not what we expected from the survey results. Instead, we expected a larger majority to indicate at least medium or high levels of preparedness. It will be interesting to see how this changes over time in future surveys.
We also asked about preparedness for an OT cyber attack that resulted specifically in changes to a control system’s configuration (which manages how molecules and electrons are manipulated in industrial facilities and could be modified to disrupt production or cause safety and environmental incidents.) Here the level of preparedness was not much better with just 18% reporting they have a high level of preparedness for such an attack. 49% reported a medium level of preparedness, 29% a low level, 3% not prepared at all, and 2% unsure. Given the critical role that control systems play in OT environments, we are compelled by these results to work even more closely with our clients and industrial organizations not yet leveraging PAS solutions to aid them in this critical area of OT cybersecurity preparedness.
The lack of preparedness also stands in contrast with the reality that cyber attacks are now occurring with increasing frequency. 16% of survey respondents said they had experienced an OT cybersecurity incident in the last year with a further 21% indicating they were unsure whether their organization had experienced such an incident. Considering that all qualified survey respondents are directly involved in either business or technical decisions related to OT cybersecurity, that level of uncertainty is certainly a cause for concern in addition to the percentage actually reporting they had experienced an OT cybersecurity incident in the last year.
One of the critical foundational capabilities for effective OT cybersecurity is a detailed and accurate asset inventory. Here most organizations report that they fall short with only 15% saying they have a high level of completeness and/or accuracy in their asset inventories. An additional 15% reported having no asset inventory at all, with another 18% reporting that they have a low level of completeness and/or accuracy, and 53% identifying as having a medium level of completeness and/or accuracy. In our own experience, we have been seeing the number of industrial organizations investing in products like PAS Cyber Integrity to improve the quality and completeness of their OT asset inventories, but it is clear much more work needs to be done based on the survey results.
The survey also asked specifically about OT vulnerability management program investments, another key foundational capability for effective OT cybersecurity. On this question, only 27% of respondents indicated they have an OT vulnerability management program that is proactive based on business risk prioritization. This was a “check all that apply” question and 25% indicated they are proactive based on technology risk prioritization and 25% proactive based on compliance controls. What was most surprising, though, to us was that 38% said their approach to OT vulnerability management is “Ad hoc or reactive” and 22% do not even have an OT vulnerability management program in place – despite this being a long established best practice in the IT cybersecurity realm.
In terms of how long it takes to identify if an OT vulnerability is present and unpatched, 28% reported that they were able to do so in less than a day’s time. Given the level of incompleteness and/or inaccuracy reported by the respondents in their OT asset inventories, this percentage seems a bit high to us and it is likely that these organizations are still relying on tribal knowledge from operations team members, which brings its own risk as the workforce in industrial plants continues to age. A further 31% reported that it takes them usually less than a week to identify if an OT vulnerability is present and unpatched, however, 22% reported that it takes them at least a few weeks to do so and a further 19% were unsure exactly how long it takes their organization. One need only consult the National Vulnerability Database (NVD) to see how the pace of disclosed OT vulnerabilities continues to rise and how these survey findings demonstrate there is a substantial time lag for industrial organizations to identify whether a vulnerability is present let alone remediate it.
Turning to a more positive finding from the survey, we asked about the type of OT network security capabilities that the respondents’ organizations have in place, and it was encouraging to find that 79% have implemented network segmentation and a firewall between their corporate/IT and OT/process control network (however, one does wonder why the others have not done so by now). 19% indicated they have network breach detection monitoring in place for their OT/process control network and also forward events to their Security Operations Center (SOC) and 21% reported having network breach detection in place but not forwarding events to their SOC. Again, more progress needs to be made and faster in this area also to confront the increasing OT cybersecurity risk.
Finally, we asked about which cybersecurity standards and frameworks industrial organizations are leveraging. 66% reported they are leveraging the ISA/IEC 62443 set of standards, 54% the NIST framework, 21% NERC CIP, 10% the Center for Internet Security (CIS) Controls, and 9% the EU NIS Directive. 10% reported also using other standards and frameworks such as OG86, NCSC, CAF, C2M2, AESCSF, and internal frameworks. Finally, 18% reported using no standards and frameworks or that they were unsure what their organization might be leveraging.
Looking at the survey results with the glass “half full,” it is clear the industrial sector has made progress in improving OT cybersecurity capabilities and recognizing the risks, however, the results from our survey indicate much work remains to be done to improve the level of preparedness. Malicious actors are getting smarter about targeting industrial organizations and the “half empty” view long espoused by IT security teams should be embraced by industrial operations teams that “it is not a question of if but when” and the time is always now to do more to identify and reduce risk.