A new research study by Skybox Security found that 83% of organizations suffered an operational technology (OT) cybersecurity breach in the prior 36 months. However, the research also uncovered that organizations underestimate the risk of a cyberattack, with 73% of CIOs and CISOs “highly confident” their organizations will not suffer an OT breach in the next year.
So, what’s the justification for this contradiction? In a word: apathy.
Apathy is perhaps the most significant risk to critical infrastructure security. OT security is now a minimum of 10 years behind IT security, and leaders in the OT space are just now considering centralizing and managing firewalls.
But “apathy” isn’t just laziness. It’s more complicated than that. It’s often a case of not knowing what to do.
For example, the gap between IT and OT security is mainly because, historically, OT networks and OT devices did not have to worry about IP-based attacks. They might be on closed networks with devices, but the need for universal communication external to the organization or facility wasn’t prevalent until a decade ago. Since they started late, they’re lagging the IT world. Compound this with the general lack of expertise around OT device capabilities, network stacks/protocols, and the primary drive to ensure availability. As a result, you have a difficulty multiplier much higher than in the non-OT space.
Maintaining compliance doesn’t equate to strong security
Another finding in the research report is that “maintaining compliance with regulations and requirements” is the top concern of OT security decision-makers. But compliance standards have proven insufficient in preventing security incidents. Therefore, compliance managers must know that compliance does not equal security, right? This is a complicated conclusion because it mixes knowledge, liability, and capability. Most leaders likely know this adage, but they have to adjust their responses accordingly due to limited resources. “Plausible deniability” and “not my job” syndrome plague OT security.
Lack of expertise can lead to breaches
Recently, there has been an alarming rise in attacks on critical infrastructure and other OT systems, but little has changed. One of the surprising findings of our research is that some security team personnel deny they are vulnerable yet admit to being breached. The belief that their infrastructure is safe —despite evidence to the contrary — has led to inadequate OT security measures. One might ask, where does the denial end and the apathy begin? Once again, the answer is more complicated than just apathy – it’s also a lack of expertise in how to best secure OT.
Instead of “apathy,” perhaps “analysis paralysis” coupled with a lack of “domain expertise” is an alternative way to describe what’s resulted in the tenuous state of OT security.
Unfortunately, there's the perception that when breaches happen, security teams must be asleep on the job. But the reality is that hackers have to be right once, while security teams have to be right all the time.”
The gap in cyber-skills is already immense and looks insurmountable in OT. Consider this: a municipality like the Oldsmar FL water plant may have 3 IT people covering the whole organization, and they all wear multiple hats. It’s likely their security person may also be a network and server person, so they don’t have the deep knowledge needed to secure the OT network. In addition, the vendors of the various water systems are responsible for keeping the system running, so they require remote access, and since there is a knowledge gap, breaches happen. This situation is repeated all over the place, and there is no simple answer since local municipalities don’t have the resources to retain highly skilled security personnel.
The lack of expertise isn’t just at the engineering layer — it also exists in the management layer. CISOs today have a myriad of resources readily available, such as partners and consultancies, that can quickly advise on general security practices for the enterprise. The same resources aren’t as widespread for the OT leaders, and they tend to cost much more because it’s such a specialized area. Lack of knowledge and general fatigue can cause leaders to fall back on more familiar methods such as maintaining compliance with regulations, rather than working to eliminate exposure with proactive security posture management methods.
OT security is an afterthought
Another finding in the report was that 40% of respondents said OT is an afterthought to other digital initiatives regarding security. Why? This answer depends on the respondent’s group, but usually, it’s skills- and budget-gap and how it’s perceived. However, security leaders will spend on the areas they know how to measure.
One interpretation is that CISOs responsible for security strategy don’t understand the OT environment; therefore, they are not resourcing appropriately. On the other hand, the OT team contributes to cyber security inertia; they care about security risks — just not enough to prioritize them over production goals. Mucking up matters is that IT managers, who are committed to protecting data, do so by constantly patching and updating the entire network; however, this results in production-killing downtime. While this seems to be a complicated dynamic, it all boils down to this open secret: plant managers know there are risks but prioritize production.
In short: confusion leads to inaction — and unfortunately, that leads to costly breaches.
Move from apathy to resilience
So, what’s the solution for operational technology security? There are too many vulnerabilities to patch with too little visibility, expertise, and resources.
Move from apathy to resilience with a proactive security posture management program. Skybox provides the visibility and context you need across your OT networks. We give you the ability to eliminate exposure by identifying where you are most prone to a cyber-attack. And we suggest optimal vulnerability remediation options (beyond pathing).
