A new report by Ponemon Institute for Tenable finds 62% of critical infrastructure respondents said their organizations have suffered multiple attacks.
Tenable has released the report, Cybersecurity in Operational Technology: 7 Insights You Need to Know. It is an independent study by the Ponemon Institute that identifies the true extent of cyberattacks experienced by critical infrastructure operators — professionals in industries using industrial control systems (ICS) and operational technology (OT).
The seven key findings of the report are:
- Cyberattacks are relentless and continuous against OT environments. Most organizations in the OT sector have experienced multiple cyberattacks causing data breaches and/or significant disruption and downtime to business operations, plants and operational equipment. Many have suffered from nation-state attacks.
- The C-level is heavily involved in the evaluation of cyber risk. C-level technology, security and risk officers are most involved in the evaluation of cyber risk as part of their organization’s business risk management.
- Nearly half of organizations attempt to quantify risk from cyber events. 48% of organizations in the OT sector (vs 38% in the non-OT sector) attempt to quantify the damage a cyber event could have on their business – and they’re most likely to quantify the impact based on downtime of OT systems.
- OT sector organizations expect significant threats in 2019. Concerns about third parties misusing or sharing confidential information and OT attacks resulting in downtime to plant and/or operational equipment increase when looking at 2019. Worries about nation-state attacks continue at a significant level.
- 2019 governance priorities vary. Increasing communication with the C-suite and board of directors about cybersecurity threats facing the organization and ensuring third parties have appropriate security practices to protect sensitive and confidential data are top priorities for 2019.
- 2019 security priorities address sophisticated threats. The top 2019 security priority is to improve the ability to keep up with the sophistication and stealth of attackers. This isn’t surprising given the significant number of OT sector organizations that have suffered a nation-state attack in the past 24 months.
- Organizations are challenged to improve cybersecurity. Few organizations have sufficient visibility into their attack surface. Gaining required visibility will continue to be a challenge due to a combination of staff shortages and heavy reliance on manual processes.
The report found that 90% of respondents stated their environments had been damaged by at least one cyberattack over the past two years, with 62% experiencing two or more attacks.
80% of respondents cited lack of visibility into the attack surface, knowing what systems are part of their IT environments, as the number one issue in their inability to prevent business-impacting cyberattacks.
Lack of personnel and a reliance on manual processes were cited by 61% and 55% of respondents respectively as major obstacles in their ability to assess and remediate vulnerabilities.
70% of respondents view increasing communication with executives and board members as one of their governance priorities for 2019.
The report is based on its analysis of a subset of 701 respondents from organizations that fall into the Critical Infrastructure sector, defined as organizations dependent upon industrial control systems (ICSs) and other operational technology including energy & utilities; health & pharma; industrial & manufacturing; and transportation.
“OT professionals have spoken — the people who manage critical systems such as manufacturing plants and transportation almost unanimously state that they are fighting off cyberattacks on a regular basis,” said Eitan Goldstein, senior director of strategic initiatives, Tenable. “Organizations need visibility into their converged IT/OT environments to not only identify where vulnerabilities exist but also prioritize which to remediate first. The converged IT/OT cyber problem is one that cybersecurity and Critical Infrastructure teams must face together.”