New Report Underscores Why OT Security Must Become a C-Suite Top Concern
A new global survey offers valuable insight for OT security leaders. The 2022 State of Operational Technology and Cybersecurity Report released by Fortinet reveals that organizations are still moving too slowly toward full protection of their operational technology (OT) assets. With 93% of OT organizations experiencing an intrusion in the past year and 78% of them experiencing more than three intrusions, it’s more imperative than ever that CISOs and business leaders improve their OT security and implement best practices outlined in Fortinet’s report.
OT Security Owned by Low-Ranking Personnel
Data found in the report is culled from a survey of more than 500 OT professionals. The worldwide survey was conducted in March 2022 and respondents were managers to C-level executives who held OT and OT security leadership positions. The organizations that these individuals work for are in a wide range of industries, including manufacturing, energy, transportation and logistics, and healthcare.
One key takeaway from the report is that “while OT security has the attention of organizational leaders, it continues to be owned by relatively low-ranking professionals.” According to the report, only 15% of survey respondents say that the chief information security officer (CISO) is responsible for OT security at their organization. The survey says OT security is primarily overseen by manager and director level people in a range of roles like plant operations. OT security needs to be upgraded as a top-level concern as industrial systems increasingly become a target for cyber criminals.
The Background on OT’s New Vulnerability
When first designed, security was not a concern for the PLCs (programmable logic controllers) that run virtually all industrial control systems (ICS) or operational technology (OT) networks. PLCs didn’t need to verify the authenticity of message senders and controller communications and they also had no need for an encryption capability. Having no security measures was acceptable until OT networks ceased to be air-gapped from IT networks.
Now, with convergence of OT and IT networks and with the digitization of OT processes, operational technology is vulnerable to cyberattacks. Many benefits have come from the integration OT and IT networks, including improved productivity, efficiency, responsiveness, and profitability. However, this interconnectedness has also now made OT networks as vulnerable to cyberattacks as IT networks are. Clearly, CISOs need to make the protection of their OT networks a high priority in their security strategies.
The Case for Making OT Security a Top-Level Concern
There are several very good reasons for OT security to get serious attention from the C-suite of any industrial organization. Using survey data, the report highlights reasons why OT security strategy should be a top-level concern. The reasons include:
- Business and financial impacts: Attacks on OT can significantly impact an organization’s productivity and, therefore, its finances. The stats from the survey reveal that nearly 50% of the organizations suffered an operation outage that affected their productivity with 90% of incidents requiring a significant amount of time and effort to restore service. Also, over 30% of respondents say their organizations experienced revenue loss, data loss, compliance difficulties, and hits to their brand’s reputation.
- Security Gaps with Point Products: OT security is gradually improving, but security gaps still exist in many organizations. The report found that a vast majority of organizations use between two and eight different security vendors for securing their industrial devices. Many may have between 100 and 10,000 devices in operation. This complexity will challenge any IT security team using multiple OT security tools that are not integrated. It also creates gaps in their cyber defenses and invites attacks.
- Lack of Centralized Visibility: Without the centralized visibility of OT activities, the network and entire organization become much more vulnerable. This lack of focus can contribute greatly to elevated OT security risks in any organization. Only 52% of the surveyed organizations can track all OT activities from their security operations center (SOC).
- Clarity on Responsibilities: As referred to above, respondents to the survey say that the CISO is not always responsible for OT security in their organization. Not having a highly qualified security individual protecting your OT networks is playing with fire. In fact, many organizations will probably get burned because only 15% of those surveyed says that their CISO is responsible for OT security at their organization.
How to Better Protect OT
The 2022 State of Operational Technology and Cybersecurity Report also offers ideas on how best to secure OT systems. Some of the suggestions include: only use solutions that offer centralized visibility of all OT activities; reduce the number of security vendors and employ products that are integrated; and deploy network access control (NAC) technology like the Fortinet role-based NAC called FortiNAC, which ensures only authorized people can access critical systems and digital assets.
For example, Fortinet delivers an integrated Security Fabric platform that covers the OT security requirements for the entire converged OT-IT network. As part of the Security Fabric, Fortinet’s proven network security solutions for operational technology include its Next Generation Firewall, FortiNAC and FortiSIEM, among other solutions. Fortinet’s Security Fabric covers the entire converged IT-OT network to close OT security gaps, deliver full visibility and provide simplified management.
To learn more about better protecting your OT network, please check out the report.
