OT security is a pain point, it turns out more than once. The numbers don’t lie: 94 percent of all companies in the industrial sector are victims.
That’s according to research by Kaspersky on the state of industrial cybersecurity, in this case highlighting the situation across the Netherlands. 203 Dutch decision makers from the C-suite were consulted for the interviews. These organizations, each consisting of more at least 1,000 employees, operate in the energy, manufacturing, oil and gas sectors.
Conscious but unprepared
82 percent of those surveyed believe they are vulnerable to cyber attacks. This applies not only to the organizations themselves, but also the supply chain. That, as Kaspersky points out, is a surprisingly low figure. The manufacturing sector in particular lags behind at 69 percent, while organizations within the oil, gas and energy industries do rate the level of risk highly (94 percent among oil and gas, 92 percent with energy).
Tip: 50,000 industrial systems vulnerable within Europe
The numbers are even clearer when it comes to the frequency of cyber incidents. Every company surveyed that’s operating in the oil and gas sector has experienced an attack (!). Energy companies, at 96 percent, aren’t really faring much better, while 90 percent within the manufacturing sector have also had a cyber-incident in the past year.
Even a tiny lapse in the security posture is enough to be unprepared for such an incident. So says Evgeny Goncharov, head of Kaspersky’s ICS CERT. Mere awareness of the issues at play won’t shift the needle. “The overall risk remains high because for sophisticated hackers, even a small degree of exposure is enough. And things are getting more complicated as industries start using smart technologies that introduce new entry points for attackers, as well as new ways to extend the attack to similar organizations.”
Ransomware damage
The biggest threat to organizations is ransomware, which causes downtime, sometimes significantly so. As industrial infrastructure is increasingly driven via IT tooling, a factory or port may be forced to shut down entirely. Examples abound: LockBit in Japan and Australia, the Hive group which hit Tata Power in India and an attacker targeting a supplier to the Danish train company.
Kaspersky points out the monetary damages such incidents cause. These are deeply variable, as illustrated by Kaspersky with some recent examples. Johnson Controls reportedly lost $30 million in sales due to a major incident, auto chip maker MKS Instrument sustained $200 million in damage and cleaning agent manufacturer Clorox even had to write off $357 million.
But why exactly OT?
It makes sense to wonder why attackers are targeting the OT (Operational Technology) sector this much. Merely the chance of disruption being higher can’t explain everything. After all, you’d expect organizations to be better prepared if everything else is the same as for non-industrial players. Although social engineering is the biggest risk according to 16 percent of those surveyed by Kaspersky, other factors are unique to OT. One such factor is the immensely widespread presence of legacy systems. These unpatched and generally ignored parts of the IT stack tend to rely on security through obscurity and just need an Ethernet plug to go from a liability to an active threat. Once they find their way online, any CVE since the end-of-support date of whatever OS or software is running on it, will act as a key for attackers to get through the door.
Likewise, the supply chain in the industrial sector is regularly complex and therefore difficult to secure. The supply chain is seen by 74 percent of respondents as prone to cyber dangers. While these IT decision-makers are undoubtely doing what they can to make their own organizations secure, third parties cannot be steered away from the precipice in quite the same way. Stringent compliance requirements will help push for safe standards, but it’s not enough.
Worrying trend
Jornt van der Wiel, security expert with Kaspersky’s Global Research & Analysis Team, notes that a worrying trend is taking place: organizations are preparing for a cyber attack rather than trying to prevent it. “Organizations and risk managers are finding insurance costs prohibitive. Many don’t know what else to do. There is a black hole of misunderstanding. It’s a real concern for them. They worry, but they trust IT to take care of everything. It’s like a ticking time bomb.”
In other words, a cyberattack gets the same treatment as an act of God. Organizations are so set up for an incident that it is seen as an earthquake, tsunami or hurricane. Even then, we argue, stronger foundations are possible, dams can be built and thicker walls erected. The same is true for OT security. Reducing the attack surface is a nice general truism to get behind, but Kaspersky has other ideas in store.
The shortage of security experts and lack of OT-specific training cannot be solved by Kaspersky. But it is one of the few parties with a specific solution to OT/IT problems with Kaspersky Industrial CyberSecurity. The only application somewhat similar to this is Azure IoT Hub, but that requires the embrace of a hyperscaler that OT players may not be too comfortable with (or aren’t allowed to use). We won’t be surprised if more vendors step into this space, especially with on-prem capabilities for the highest compliance requirements. If so, there may finally be improvement on the horizon for the OT world.
Also read: There is no OT apocalypse, but OT security deserves more attention