Industrial OT widely vulnerable to intrusion, survey finds

A newly released survey of security professionals in the U.S. and in Europe, the Middle East, and Africa might serve as a wake-up call, as the polling revealed that industrial OT likely is extremely vulnerable to intrusion.

“Our world has become increasingly interconnected, and the findings of this report highlight the vital need for organizations to re-evaluate and enhance their strategies for ensuring secure access into OT environments,” said Larry Ponemon, chairman and founder of the Michigan-based Ponemon Institute, which partnered with remote access management solution provider Cyolo on the report.

The report identifies significant gaps in securing access to connected OT environments, the pair stated in a Feb. 21 release of the results of the global survey, which in addition to the U.S. polled security professionals on other continents in what is known as the EMEA.

Overall, the survey revealed that most industrial organizations—73%—lack visibility into their OT assets. A bare majority—55%—of respondents believed their organizations “effectively” or “very effectively” mitigated risks and security threats to the OT environment.

Moreover, only 27% of respondents said their organizations maintain accurate inventories of OT assets. Also, 69% said their organizations have either no inventories or inaccurate and outdated inventories, and the remaining 5% were unsure about the state of their asset inventories.

The report, titled “Managing Access & Risk in the Increasingly Connected Operational Technology (OT) Environment,” reveals that many industrial organizations lack the resources, expertise, and collaborative processes to effectively mitigate threats and ensure secure access to OT systems.

OT is the hardware and software that monitors and controls devices, processes, and infrastructure within industrial settings, on the plant floor. OT systems and devices control the physical world, while IT systems manage digital data and applications.

Often, separate personnel or even whole departments at manufacturing companies of all sizes manage OT apart from IT, and many stakeholders have argued for their convergence.

“Ensuring secure access to OT environments is about more than just cybersecurity,” the Feb. 21 release distributed by Cyolo said. “These environments contain highly sensitive systems and critical infrastructure responsible for keeping manufacturing lines running, water and electricity flowing, and performing other tasks vital to the smooth functioning of our communities.”

“We are at a crucial point in the evolution of OT security, and the need to secure access to critical systems from internal and external threats is more urgent than ever,” said Joe O'Donnell, who is executive VP of corporate development and general manager of OT at Cyolo.

“The stakes are exceptionally high,” he added, “as a breach could jeopardize not just data but also the functioning of critical infrastructure, risking the safety of workers and the environment.”

OT systems have been historically isolated for security reasons, the two groups noted, but face increased connectivity to IT networks and the internet (sometimes called IT/OT convergence).

At the same time, more third-party vendors and contractors are being given remote access to OT environments. These shifts introduce serious new risks that can leave organizations exposed to safety and security threats if access and connectivity aren’t properly controlled.

More key findings of the newly released survey include:

Organizations allow dozens of third-party users to access OT environments, the respondents said, with 73% permitting third-party access to OT environments, with an average of 77 third parties per organization granted such access.
Challenges to securing third-party access include preventing unauthorized access (44% of those surveyed), aligning IT and OT security priorities (43%), and giving users too much privileged access (35%).
IT and OT teams share responsibility for OT security but do not communicate enough to achieve optimal outcomes, according to the survey, with 71% of respondents reporting that IT or IT and OT together are responsible for securing OT environments.
However, collaboration and communication are lacking, with 37% reporting little or no collaboration between IT and OT, and 19% reporting that teams talk about OT security issues only when an incident does occur.
Security is seen not only as a goal of IT/OT convergence but also as an obstacle. Reducing security risk is the top objective of companies pursuing IT/OT convergence (59%), but one third (33%) of organizations that are not pursuing convergence cite security risk as a top factor for their decisions.
Nearly half (49%) of organizations have not reassessed the security and effectiveness of remote access tools adopted during the COVID-19 pandemic.

“This research reveals a pressing need for new approaches, especially in areas like third-party and privileged access, the security of legacy systems, and collaboration between IT and OT teams,” O'Donnell added.

‘Moderately effective’ not enough for cybersecurity

There are scenarios in which being “moderately effective” is sufficient, but OT cybersecurity is not one of them, Cyolo and Ponemon Institute noted in their materials.

“For the sake of both security and safety, organizations that lack confidence in their current threat mitigation strategies must adopt new approaches and possibly also new security and access management solutions,” their Feb. 21 release stated.

“This is the case whether or not organizations are working toward (or plan to work toward) any level of IT/OT convergence; however, improving OT security is even more urgent for those that are opening themselves to new potential risks through connections to IT networks and the internet.”

Manufacturing companies were targeted in 71% of ransomware incidents in 2023, according to a recently released OT Cybersecurity Year in Review by Dragos, a industrial OT cybersecurity platform vendor.