Editor's Note: Industrial organizations faced significant challenges in 2021. Cyberattacks on the Oldsmar water supply facility, Colonial Pipeline, and JBS in Florida, as well as the SolarWinds supply chain attack, brought industrial cybersecurity to the forefront of national and global attention. The disruption of critical infrastructure has staggering financial and social consequences. Furthermore, business leaders continued to navigate the impact of the COVID-19 pandemic while determining how to operate efficiently and securely. It is against this backdrop that organizations must strive to remain resilient despite unprecedented and unpredictable challenges.
To understand how industrial organizations navigate these uncharted territories, Claroty commissioned Pollfish to conduct an independent survey of 1,100 full-time IT and OT security professionals worldwide who own, operate, or otherwise support critical infrastructure components. The survey focused on: three key challenges facing industrial enterprises—ransomware attacks, digital transformation, and remote work; key resilience factors in governance, best practices, and investment; and future policies and priorities.
Industrial cybersecurity company Claroty commissioned Pollfish to conduct an independent survey of 1,100 full-time IT and OT security professionals worldwide who own, operate, or otherwise support critical infrastructure components. Only individuals working full-time in IT security, OT/ICS security, or as OT/ICS engineers or operators participated in the survey, exploring how they are addressing the major challenges of 2021, their resilience levels, and their priorities going forward.
A total of 1,100 respondents completed the survey, including 500 in the United States, 300 in Europe, and 300 in the Asia-Pacific region. Slightly more than half (55%) of the organizations had revenues of at least one billion US dollars. They represented more than a dozen industries, including IT hardware, oil and gas (including pipelines), consumer goods, electricity, pharmaceuticals/life sciences/medical devices, transportation, agriculture/food and beverage, heavy industry, water and waste, and automotive. The survey was completed in September 2021. Key findings included:
Ransomware is rampant, and so are payments. Shockingly, 80% of respondents reported experiencing an attack, with 47% saying their OT/ICS environment was affected. Over 60% paid the ransom, with more than half (52%) paying $500,000 or more. Over 90% disclosed the incident to shareholders and/or authorities, and 69% believed timely reporting should be mandatory.
Digital transformation, remote work, and staff shortages persist. Since the COVID-19 pandemic, digital transformation has continued to accelerate, with 73% of organizations continuing remote/hybrid work. Nearly 90% of people are seeking to hire, but 54% say they are finding it difficult to find enough qualified OT safety candidates.
Governance and oversight demonstrated strong leadership. Over half of respondents indicated that their organization's top management and board members were frequently involved in cybersecurity decision-making and oversight. Over 60% of enterprises centralized OT and IT governance under the CISO, which is recommended as best practice. Gap points remain in processes and technology; over 65% of respondents considered their organization's vulnerability management strategy to be moderately to highly proactive, but ransomware attacks were very successful. Nearly 30% shared passwords, 57% used usernames and passwords, and 44% used VPNs—all factors that can enhance resilience.
Investment budgets have increased. Over 80% of respondents indicated that their IT and OT/ICS security budgets have both increased. Implementing new technology solutions is a top priority for cybersecurity, with the oil and gas and IT hardware industries leading the way.
I. Main Findings
1. Ransomware is in a leading position.
The wave of ransomware attacks targeting industrial organizations has reached new heights, leaving no organization unscathed. Globally, 80% of respondents experienced an attack, and 47% said it impacted their OT/ICS environment. Over 90% of attacked organizations disclosed the incident to shareholders and/or authorities, and in nearly half (49%) of the cases, the impact was significant.
A closer look at the distribution of attacks reveals that 90% of industries affected by ransomware were in IT hardware, oil and gas, water and waste, and automotive, while 87% were in heavy industry and the power sector. Unsurprisingly, larger organizations were more likely to be attacked, given the money at stake; far fewer small and medium-sized enterprises (SMEs) reported being affected, at only 63%. SMEs are defined as those with annual revenues less than $500 million.
For organizations that have experienced ransomware attacks, the financial impact is enormous. Globally, over 60% of organizations paid the ransom, with more than half (52%) paying $500,000 or more. The United States leads with 76% paying the ransom and 57% paying $500,000 or more, while the Asia-Pacific region and Europe follow with 51% and 49% respectively. Spending in these regions also shows a downward trend, concentrating between $100,000 and $500,000.
What motivates businesses to make the decision to pay ransom? As the saying goes, time is money. Regardless of region, most respondents estimated that the revenue loss per hour of downtime equaled or exceeded their expenses. Therefore, considering this equation and the risks involved, financial models seem to favor paying ransom. This may also explain why 69% of respondents globally believed that paying ransom should be legal. Changing financial calculations requires an incentive and restraint system that promotes better proactive control and risk governance.
2. Digital transformation and remote work are still ongoing.
Respondents strongly indicated that digital transformation has accelerated since the start of the COVID-19 pandemic, and globally, 73% of organizations will continue to operate with some degree of remote work in the foreseeable future. Digital transformation, the inherent increased connectivity between IT and OT networks, and remote access for employees have unlocked significant business value. However, these changes to the OT/ICS environment also create additional opportunities for attackers, posing risks. These findings are reflected in headlines and have prompted governments to reiterate warnings about the risks of connecting industrial networks to IT networks, and the necessity of increased awareness and control.
3. Resilience begins with governance.
The survey indicates that organizations have internalized the lessons learned from high-profile cyberattacks and are prioritizing cybersecurity by increasing investment and implementing new or updated processes and controls. For example, globally, over half of respondents said their organization's top management and board members are regularly involved in cybersecurity decision-making and oversight, a positive sign for continued investment and prioritization. Following recommended best practices, over 60% of enterprises globally centralize OT and IT governance under the CISO. Furthermore, the majority (62%) align with government direction regarding mandatory, timely reporting of cybersecurity incidents affecting IT and OT/ICS systems.
Globally, confidence in IT security professionals' ability to manage cybersecurity in OT/ICS environments continues to grow, rising from 61% in last year's survey to 65% this year. However, the demand for security professionals continues to increase. Nearly 90% are currently seeking to hire, 40% say the need is urgent, and 54% say it's difficult to find enough candidates with the skills and experience required to properly manage the cybersecurity of OT networks.
4. Process and Technology
Most respondents rated their organizations' cybersecurity maturity at Level 4, or Managed Level, while Europe's level is Level 3. Globally, over 65% of respondents rated their vulnerability management strategies as moderate to highly proactive, compared to 55% in Europe. However, ransomware attacks remain highly successful.
Improved cybersecurity training is needed to help deter ransomware attacks. Globally, one-third (33%) of respondents reported insufficient or no training related to preventing and managing future cyberattacks. In a 2020 survey, 83% of respondents reported receiving training related to remote work. However, there appears to be a lack of skills development to mitigate the risks posed by attacks exploiting vulnerabilities arising from this new distributed environment. OT remote access needs improvement. Nearly 30% share passwords, with this figure approaching 20% in the Asia-Pacific region and Europe; 57% use usernames and passwords, and 44% use VPNs. Basic cyber hygiene, stronger passwords, and secure remote access solutions can help enhance resilience against attacks.
5. Investments and Priorities
Over 80% of respondents indicated that their IT and OT/ICS security budgets have increased since the start of the COVID-19 pandemic. In industries such as IT hardware, oil and gas, and electricity, this figure approaches 90%. This widespread increase in investment is likely a direct result of executives and boards prioritizing cybersecurity, which could have become a launchpad for this particularly insidious type of attack, given the ransomware attacks that disrupted the operations of most of the surveyed industrial organizations and the high-profile SolarWinds supply chain attack that brought IT companies into the spotlight.
II. Relief Suggestions
Consistent with previous survey results, respondents across all regions unanimously and overwhelmingly listed implementing new technology solutions as a top priority, with 57% of respondents in the oil and gas sector and 49% in IT hardware. Europe ranked training as the second most important factor, and SMEs similarly prioritized training and technology.
As this survey demonstrates, industry organizations are on the right track. Most have expanded their existing IT risk management and governance processes, including OT networks overseen by the CISO, and increased their IT and OT/ICS security budgets. However, the success of ransomware attacks on most of these organizations, along with the continuation of digital transformation and remote work, is undeniable. Organizations must remain vigilant and continue to build resilience.
The industrial cybersecurity sector has made significant strides in creating technological solutions that help eliminate blind spots and close security gaps to build resilience. Furthermore, given the recruitment challenges faced by virtually every organization, solutions implemented without imposing unnecessary traffic, hardware, complex configurations, lengthy deployments, or steep learning curves on existing infrastructure and personnel are crucial.
The following five recommended technologies and processes can help security leaders and their teams better protect OT environments and enable business in today's hyper-connected world.
1. Extend risk governance to cyber-physical assets. Devices not designed with security in mind pose risks when connected to IT and OT networks. This includes all Industrial IoT, ICS, and Enterprise IoT components. For many organizations, extending governance to include these assets is a challenging step, as identifying them is not easy. It is a process that may require iteration. Fortunately, the industry has made significant technological advancements in recent years, making it easier to discover such assets and analyze their risks, vulnerabilities, and liabilities.
2. Maintain appropriate segmentation. Many business processes and applications need to communicate across the IT/OT boundary, so organizations need to ensure secure communication. Ensuring that an organization's OT network and assets are isolated from IT in accordance with segmentation best practices is a highly effective way to prevent ransomware and other malware from spreading laterally from IT to OT. In addition to segmentation between IT and OT networks, virtual segments can be deployed to areas within the OT environment. This will help detect lateral movement within the OT network. When remote operations require direct access to the OT network, ensure this is done through secure remote access connections with strict controls over users, devices, and sessions. These solutions can be deployed without increasing the burden on the OT environment.
3. Cultivate good cyber hygiene practices. Ensure cyber hygiene extends to OT and IoT devices. This includes using strong passwords (instead of sharing passwords among different users), password vaults, and multi-factor authentication. Patching legacy systems may be more challenging or impossible. If this is the case, identify and implement compensatory controls such as firewall rules and access control lists. Free scanning, assessment, and testing tools can be used to help reduce the risk of being compromised.
4. Implement a robust system monitoring program. The ability to monitor threats across both IT and OT networks, and anything that crosses that boundary, is crucial for effective and efficient detection and response. Agentless solutions built specifically for continuous threat monitoring across OT networks can be implemented quickly, integrate equally well with OT and IT systems and workflows, and allow IT and OT teams to view the OT environment together. These teams leverage the same information set to take specific steps to manage and mitigate the risk from both known and unknown new threats.
5. Assess and Build Preparedness. Implementing the above functions and enhancing resilience provides peace of mind for security leaders and teams. Conducting desktop exercises involving ransomware attacks provides deeper insights into an organization's and its technical preparedness. This offers organizations the opportunity to create improved incident response plans that build confidence in preparedness and timely decision-making, as well as resilience to such attacks. When incident response and forensics firms have established working relationships with internal stakeholders and teams, understand their existing IT and OT infrastructure and controls, and are aware of their business and risk profile, they are able to provide better advice more quickly in the face of attacks.
III. Conclusion
As digital transformation and remote work continued in 2021, ransomware attacks targeting IT and OT/ICS networks proliferated, resulting in substantial expenditures. These threats will persist as long as financial models continue to support ransom payments. The only way to mitigate this risk is to understand how to make hyper-connected networks more secure. Gaps in processes and technology, some of which have existed for years, must be addressed. Fortunately, global organizations with strong executive leadership and trusted cybersecurity experts at the helm are on the right track. By extending governance to include OT networks, allocating additional resources, and prioritizing best practices and controls, they are building resilience in the face of disruption.
