Cybersecurity is an issue for all companies, regardless of size, industry, or region. As technology—and the dependence on it—evolves, organizations face defending an expanding and increasingly complex attack surface against a relentless threat landscape. However, some industries are not doing as well as others. A new report from Barracuda, “The State of Industrial Security in 2022,” reveals concerning findings for critical infrastructure, manufacturing, and other industries that rely on operational technology (OT) and industrial internet-of-things (IIoT) systems.
Challenges of IIoT / OT Security
The challenge is twofold when it comes to IIoT and OT systems. Companies are working to streamline and modernize legacy operational technologies—connecting devices that are decades old and were not designed with security in mind to networks and exposing them to potential remote attacks from across the internet. Many of these organizations are in industries like oil and gas, electricity and water utilities, railroad transportation, and others that form the backbone of critical infrastructure and make them exceptionally attractive targets—particularly for nation-state adversaries.
“In the current threat landscape, critical infrastructure is an attractive target for cybercriminals, but unfortunately IIoT/OT security projects often take a backseat to other security initiatives or fail due to cost or complexity, leaving organizations at risk,” said Tim Jefferson, SVP, Engineering for Data, Networks and Application Security, Barracuda in a press release for the report. “Issues such as the lack of network segmentation and the shocking number of organizations that aren’t requiring multifactor authentication leave networks open to attack and require immediate attention.”
Barracuda commissioned a survey of 800 senior IT managers, senior IT security managers, and project managers responsible for operational technology and IIoT projects in their organization to understand the current state. Analyzing the feedback from the survey provides critical insight on IIoT/OT security projects, implementation challenges, security incidents, and other related cybersecurity risks.
Critical Infrastructure Under Siege
There is fairly universal agreement that IIoT and OT security is critical, but the businesses that make up critical infrastructure often lack the resources necessary. Meanwhile, the geopolitical landscape—especially the global tension between Russia and the nations of the European Union and NATO—has made the situation increasingly tense. A blog post from Barracuda shares:
- Attacks are widespread: 94% of organizations surveyed acknowledged experiencing a security incident in the last 12 months.
- Geopolitical concerns: 89% of respondents are very or fairly concerned about the impact that the current threat landscape and geopolitical situation will have on their organizations.
- Breaches are impacting operations: 87% of organizations that experienced an incident were impacted for more than one day.
The good news is that among the industries that took part in the Barracuda survey, critical infrastructure organizations are leading the way with implementation of security projects. The bad news is that “leading the way” is relative. Only 50% of oil and gas companies in the survey have completed projects, but that was the best result, while a handful of industries actually reported a completion rate of less than 20%.
What makes this more concerning is that many of these systems are connected to the internet and exposed to potential cyberattacks from virtually anywhere. The report states, “The majority allow full network access, but around a quarter of this group report that multifactor authentication (MFA) is not required. Only 18% of companies restrict network access and enforce MFA when it comes to remote access into OT networks. Given the sensitive nature of these environments, organizations should be taking every precaution necessary to keep them as secure as possible.”
The State of Industrial Security in 2022
It makes sense for organizations to bring digital transformation to these legacy industrial systems, but that modernization comes with a cost. It takes systems and components that were not designed with security in mind and have functioned safely in their own isolated worlds for decades and connects them in ways that expose them to significant risk. The benefits are substantial as well, but only if organizations take the steps necessary to secure and protect their IIoT and OT systems.
There is a lot more in the full 31-page report, including the detailed breakdown by industry. You can check out the Barracuda blog post for an overview of key takeaways or download the full report for yourself.