A false sense of OT security opens the door for bad actors to attack

New research report finds strange contradiction: the security teams who admit to having their OT networks breached deny they are vulnerable to a cybersecurity attack

Skybox Security’s new research report “Cybersecurity risk underestimated by operational technology organizations” discovered that 83% of organizations suffered an operational technology (OT) cybersecurity breach in the prior 36 months. However, the research also uncovered that OT organizations underestimate the risk of a cyberattack, with 73% of CIOs and CISOs “highly confident” their organizations will not suffer an OT breach in the next year.

One of the shocking findings from the report is that some security decision-makers deny they are vulnerable yet admit to being breached. The belief that their infrastructure is safe — despite evidence to the contrary — has led to inadequate OT security measures.

Denying the truth doesn’t change the facts. And you would certainly think that many in security would learn from these shortcomings. But, unfortunately, that wake-up call to the reality that your OT is vulnerable can come in the form of a 3 am sucker punch when your plant floor machinery stops working or starts operating dangerously, which can cost your company a fortune.

This seemingly strange denial in the face of logic begs the question: why is there such a difference between the reality and perception about OT security? Often this dysfunctional disconnect starts at the functional level: some roles refuse to believe their OT systems are vulnerable, while others believe the next breach is hiding around the corner. For example, the report found that 73% of CIOs and CISOs are highly confident their OT security system is safe in the next year compared to only 37% of plant managers, who have more firsthand experiences with the repercussion of attacks.

Another reason for this false sense of OT security is that some companies feel that increasing expenditures and throwing more security devices at the problem will make it go away. Once breached, OT decision-makers said that two of the top three actions they took were increasing the security budget and purchasing new technology. But more silos can mean more visibility problems, and, in some cases, the firewall themselves come shipped with inherent vulnerabilities.

But perhaps one of the most critical reasons for this organizational denial is the belief that compliance equals security. The research found that ‘meeting compliance regulations and requirements were the most pressing concern for all OT decision-makers.

It’s easy to see why compliance is a concern: mandates often change, are hard to interpret, and are often overwhelming. In the OT environment, security requirements and methodologies are many, for example:

  • STIG compliance requirements
  • NERC CIP compliance
  • Compliance with FAIR Methodology
  • Cyber Value at Risk (CVAR) model

That’s a lot of boxes to check.

Consider the retail breaches from half a decade ago; most victims were compliant with PCI DSS yet got breached badly. As the adage says, securing your environment has a higher likelihood of achieving compliance but not vice versa. Audits are point-in-time assessments and limit the scope to specific business units or technologies. They cannot cover everything, so the security leader must implement a comprehensive program that includes appropriate controls at all layers.

Focusing all efforts on compliance will neglect areas out of scope that are still part of the attack surface. Bad actors know this tendency too and will tailor their attacks accordingly. For example, you may have robust access controls from Purdue Level 4 down to 2, but have you considered a partner device accessing their management interface in level 2? If infected with malware, can the device propagate laterally? These are the types of scenarios that compliance mandates cannot address with 100% accuracy.

So, yes, while maintaining compliance is essential, it is equally important to put measures in place to strengthen your security posture that extends beyond compliance regulations. Teams who believe that meeting mandates and requirements, like NERC CIP, will make them invincible to an attack can be blindsided by a breach. Compliance, by definition, is meeting the minimum-security needs for a specific regulation; therefore, a “compliant” infrastructure —without a more resilient security posture — can still be susceptible to a security breach. Therefore, thinking compliance is your silver bullet to ensuring the security of your OT systems is a recipe for disaster. The belief that compliance makes you safe could be the beginning of the end of your business.