cybersecurity in operational technology: 7 insights you need to...
TRANSCRIPT
SPONSORED BY TENABLE Independently conducted by Ponemon Institute LLCMarch 2019
Cybersecurity in Operational Technology: 7 Insights You Need to Know
2 CyberseCurity in OperatiOnal teChnOlOgy: 7 insights yOu need tO KnOw, MarCh 2019
1 Wesurveyed2,410ITandITsecuritypractitionersintheUnitedStates,UnitedKingdom,Germany,Australia,MexicoandJapanandthefindingswerepresentedinapreviously released report, Measuring & Managing the Cyber Risks to Business Operations.
2 The OT sector in this study includes respondents in energy & utilities, health & pharma, industrial & manufacturing and transportation.
Cybersecurity in Operational Technology: 7 Insights You Need to Know
EXECUTIVE SUMMARYCybersecurity in Operational Technology: 7 Insights You Need to Know,whichwassponsoredbyTenable®andconductedbyPonemonInstitute,revealsthatalackofvisibilityintotheattacksurface,inadequatesecuritystaffingandrelianceonmanualprocessesundermineoperationaltechnology(OT)sectororganizations’statedrequirementstoprotectOTandIoTinfrastructurefromdowntime.
Thisreportisbasedonouranalysisofasubsetof701respondentsfromMeasuring & Managing the Cyber Risks to Business Operations1whoseorganizationsfallintotheOTsector2–definedasindustriesdependentuponindustrialcontrol systems (ICSs) and other operational technology. All respondents are involved in their organizations’ evaluation and/ormanagementofinvestmentsinITand/orOTcybersecuritysolutions.Becausetoday’soperationalsystemsrelyonbothOTandITassets,wehaveinvestigatedIT,OTandIoT.
Thefollowingsummarizesthekeyfindings:
1. Cyberattacks are relentless and continuous against OT environments. Most organizations in the OT sector have experiencedmultiplecyberattackscausingdatabreachesand/orsignificantdisruptionanddowntimetobusinessoperations,plantsandoperationalequipment.Manyhavesufferedfromnation-stateattacks.
2. The C-level is heavily involved in the evaluation of cyber risk.C-leveltechnology,securityandriskofficersaremostinvolvedintheevaluationofcyberriskaspartoftheirorganization’sbusinessriskmanagement.
3. Nearly half of organizations attempt to quantify risk from cyber events. 48% of organizations in the OT sector (vs 38% inthenon-OTsector)attempttoquantifythedamageacybereventcouldhaveontheirbusiness–andthey’remostlikelytoquantifytheimpactbasedondowntimeofOTsystems.
4. OT sector organizations expect significant threats in 2019.ConcernsaboutthirdpartiesmisusingorsharingconfidentialinformationandOTattacksresultingindowntimetoplantand/oroperationalequipmentincreasewhenlookingat2019.Worriesaboutnation-stateattackscontinueatasignificantlevel.
5. 2019 governance priorities vary.IncreasingcommunicationwiththeC-suiteandboardofdirectorsaboutcybersecuritythreatsfacingtheorganizationandensuringthirdpartieshaveappropriatesecuritypracticestoprotectsensitiveandconfidentialdataaretopprioritiesfor2019.
6. 2019 security priorities address sophisticated threats.Thetop2019securitypriorityistoimprovetheabilitytokeepupwiththesophisticationandstealthofattackers.Thisisn’tsurprisinggiventhesignificantnumberofOTsectororganizationsthathavesufferedanation-stateattackinthepast24months.
7. Organizations are challenged to improve cybersecurity.Feworganizationshavesufficientvisibilityintotheirattacksurface.Gainingrequiredvisibilitywillcontinuetobeachallengeduetoacombinationofstaffshortagesandheavyreliance on manual processes.
3 CyberseCurity in OperatiOnal teChnOlOgy: 7 insights yOu need tO KnOw, MarCh 2019
KEY INSIGHTSLet’stakeacloserlookateachofthefindings.
Finding #1: Cyberattacks are relentless and continuous.
AsshowninFigure1,90%ofOTorganizationsrepresentedinthisstudyhaveexperiencedatleastonedamagingcyberattackoverthepasttwoyearsand62%havehadtwoormore.Theseattackshaveresultedindatabreachesand/orsignificantdisruptionanddowntimetobusinessoperations,plantsandoperationalequipment.
0%
5%
10%
15%
20%
25%
30%
10%
28%
25%
13% 13%
7%
4%
0 1 2 or 3 4 or 5 6 or 7 8 or 9 10 or 11
Figure 1.OT sector organizations are experiencing multiple damaging cyberattacks
Number of cyberattacks experienced over the past 24 months
experienced at least one damaging cyberattack over the past two years
90%
4 CyberseCurity in OperatiOnal teChnOlOgy: 7 insights yOu need tO KnOw, MarCh 2019
Virtually all organizations in the OT sector rely on converged OT and IT systems. Therefore, the OT sector is concerned withweaknessesandattacksrelatingtoOTandITsystems,includingphishingscams.53%ofOTsectororganizationsreport that in the past 24 months an employee fell for a phishing scam resulting in credential theft (see Figure 2).
OTattackersoftenusecredentialsgainedinITenvironmentstopivotintoandattackOTinfrastructure.HalfofOTsector organizationssaythey’vehadatleastoneattackagainstOTinfrastructureinthepast24monthsthatresultedindowntimetoplantand/oroperationalequipment.Furthermore,23%reportatleastonenation-stateattackinthepast24months.
0% 10% 20% 30% 40% 50% 60%
An employee falls for a phishing scam that resultedin credential theft
Third party misuses or shares confidential informationwith other third parties
An attack against my company’s OT infrastructure thatresults in downtime to plant and/or operational equipment
An attack that involves IoT or OT assets
A significant disruption to business processescaused by malware
A cyberattack that causes significant downtime
Leakage of business-confidential information, such as emails
Economic espionage (theft of business-critical information)
A nation-state attack
Cyber extortion such as ransomware
A data breach involving 10,000 or more customeror employee records
Fines and/or lawsuits for non-compliance with dataprotection and privacy requirements
Other 3%
10%
17%
21%
23%
23%
29%
33%
37%
37%
45%
50%
53%
Figure 2. Cyber events experienced in the past 24 months
have experienced at least one attack against OT infrastructure that resulted in downtime in past 24 months
50%
5 CyberseCurity in OperatiOnal teChnOlOgy: 7 insights yOu need tO KnOw, MarCh 2019
Finding #2: The C-level is heavily involved in the evaluation of cyber risk.
Notsurprisingly,morethanhalf(60%)ofrespondentsreportthatC-levelexecutivesaremostinvolvedintheevaluationofcyberriskaspartoftheirorganization’sbusinessriskmanagement.Line-of-businessandplantmanagersaremostinvolvedonlyaboutone-third(37%)ofthetime.
0% 5% 10% 15% 20% 25% 30%
3%Other
8%Plant Management
29%Line of Business (LoB) Management
7%Chief Technology Officer
10%Chief Risk Officer
6%Chief Security Officer
12%Chief Information Security Officer
25%Chief Information OfficerFigure 3.Who is most involved in the evaluation of cyber risk as part or your organization’s business risk management?
report that C-level is most involved in the evaluation of cyber risk
60%
6 CyberseCurity in OperatiOnal teChnOlOgy: 7 insights yOu need tO KnOw, MarCh 2019
Finding #3: Nearly half of OT sector organizations attempt to quantify damage from cyber events.
NearlyhalfofOTsectorrespondents(48%)saytheirorganizationattemptstoquantifythedamagetothebusinessfromthethreatslistedinFigure4.Infact,quantifyingthedamagefromdowntimeofOTsystemsisratedasthehighestfactorwhenquantifyingoverallcyberrisk(seeFigure4).
OTdowntimecanresultinmillionsofdollarsoflostrevenue,productivity,etc.Forexample,theTaiwanSemiconductorManufacturingCompanyLtd.reportedthattheWannaCryinfectionwhichcrippledmultiplefactorieswouldreducequarterlyrevenuesby3%3–estimatedatmorethan$150million.
Figure 4.Factors used to quantify risk
0% 10% 20% 30% 40% 50%
Downtime of OT systems
Other
Decline in stock price
Employee turnover
Loss of market share
Customer turnover
Financial loss
Loss of employee productivity
Theft of intellectual property
Frequency of unpatched (known) vulnerabilities
0%
49%
45%
41%
40%
38%
33%
23%
19%
11%
say downtime of OT systems is biggest factor used to quantify risk
1/2
3 TSMS Details Impact of Computer Virus Incident
7 CyberseCurity in OperatiOnal teChnOlOgy: 7 insights yOu need tO KnOw, MarCh 2019
Finding #4: OT sector organizations expect significant threats in 2019.
• Third parties misusing or sharing confidential information:Althoughonly37%ofOTsectorrespondentsreportthat inthepast24monthsathirdpartymisusedorsharedconfidentialinformationwithotherthirdparties(seeFigure2), 65%listthethreatasoneofthetopfivetheyworryaboutin2019(seeFigure5)–makingitthebiggestexpectedthreatthis year. This isn’t surprising given many organizations in the OT sector rely on third parties to help them manage and maintain their OT infrastructure.
• OT attacks resulting in downtime are an increasing threat:While50%oforganizationsexperiencedanattackinthepast24monthsagainstOTinfrastructurethatresultedindowntimetoplantand/oroperationalequipment(seeFigure2),60%listitasoneofthethreatsthey’remostworriedaboutin2019(seeFigure5).
• Nation-state attack threats continue:Morethanone-fifth(21%)ofOTsectororganizationslistanation-stateattackasoneofthethreatsthey’remostworriedabout(seeFigure5).Nation-stateattacksareespeciallyconcerningintheOTsectorbecausethey’retypicallyconductedbywell-funded,highlycapablecybercriminalsandareaimedatcriticalinfrastructure.4
Figure 5. Most worrisome threats in 2019
0% 10% 20% 30% 40% 50% 60% 70%
Third party misuses or shares confidential informationwith other third parties
Leakage of business-confidential information, such as emails
An attack that involves IoT or OT assets
An attack against my company’s OT infrastructure thatresults in downtime to plant and/or operational equipment
A data breach involving 10,000 or more customeror employee records
An employee falls for a phishing scam that resultedin credential theft
Economic espionage (theft of business-critical information)
A cyberattack that causes significant downtime
A significant disruption to business processescaused by malware
A nation-state attack
Cyber extortion such as ransomware
Fines and/or lawsuits for non-compliance with dataprotection and privacy requirements
Other 1%
12%
19%
21%
33%
34%
35%
35%
39%
41%
60%
63%
65%
4 Refer to the US-CERT Technical Alert, “Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors”
are worried about an attack against OT infrastructure
60%
8 CyberseCurity in OperatiOnal teChnOlOgy: 7 insights yOu need tO KnOw, MarCh 2019
Finding #5: 2019 governance priorities vary.
IncreasingcommunicationwiththeC-suiteandboardofdirectorsaboutcybersecuritythreatsfacingtheorganizationisthenumber-onepriorityfor2019(seeFigure6).Thesecondpriorityisensuringthirdpartieshaveappropriatesecuritypracticestoprotectsensitiveandconfidentialdata.Thisobjectivealignsdirectlywiththemostworrisomethreatfor2019:third-partymisuseorsharingofconfidentialinformationwithotherthirdparties(seeFigure5).
0% 10% 20% 30% 40% 50% 60% 70% 80%
Increase communication with C-level and board of directorsabout the cyber threats facing our organization
Ensure third parties have appropriate security practicesto protect sensitive/confidential data
Increase staff training to prevent behavior such asfalling for a phishing scam or sharing passwords
Allocate more resources to vulnerability management
Increase the number of FTEs in our IT security function
Other 0%
39%
55%
59%
63%
70%
Figure 6. 2019 governance priorities
9 CyberseCurity in OperatiOnal teChnOlOgy: 7 insights yOu need tO KnOw, MarCh 2019
Finding #6: 2019 security priorities address sophisticated OT threats.
AsshowninFigure7,thetoptwopriorities,“Improveourabilitytokeepupwiththesophisticationandstealthoftheattackers”and“ReducetheriskofattackstotheOTinfrastructure,”alignwellwiththepreviouslydiscussedriskofnation-stateattacksagainstOTinfrastructure(seeFigure2).
0% 10% 20% 30% 40% 50% 60% 70% 80%
Other
Control the proliferation of IoT devices in the workplace
Reduce the risk of unsecured IoT devices in the workplace
Ensure third parties have appropriate security practicesto protect sensitive/confidential data
Improve controls over third parties’ access to oursensitive/confidential data
Reduce complexity in our IT security infrastructure
Improve protection of sensitive and confidential datafrom unauthorized access
Reduce the risk of attacks to the OT infrastructure
Improve our ability to keep up with the sophisticationand stealth of the attackers
2%
67%
56%
51%
49%
47%
47%
43%
18%
Figure 7. 2019 security priorities
10 CyberseCurity in OperatiOnal teChnOlOgy: 7 insights yOu need tO KnOw, MarCh 2019
Finding #7: Organizations are challenged to improve cybersecurity.
Visibility into the attack surface is insufficient
Usingafive-pointscaleofstronglyagreetostronglydisagree,only20%ofOTsectorrespondentsagreeorstronglyagreetheyhavesufficientvisibilityintotheirorganization’sattacksurface(seeFigure8).Thisisconcerningbecauseallsecuritycontrolsandprocessesdependonthevisibilityprovidedbycomprehensiveassetinventories.Acompletehardwareandsoftwareinventoryisfundamentaltoallsecurityframeworksandcompliancerequirements,includingtheCISControls,NISTFrameworkforImprovingCriticalInfrastructureCybersecurityandNERCCIP.
Inadequate staffing and manual processes limit vulnerability management
Thecybersecurityskillsshortagehasexacerbatedtheissuescreatedbyrelianceonmanualprocesses.Thisskillsshortageisespeciallyevidentinvulnerabilitymanagementbecauseorganizationsoftenlacksufficientvulnerabilitymanagementstaff to execute the manual processes.
Percentages represent combined Strongly Agree and Agree responses
20%I have sufficient visibility into
my organization’s attack surface
39%The security function of our organization has adequate
staffing to scan vulnerabilities in a timely manner
53% 55%Our organization is at a
disadvantage in responding to vulnerabilities because we use
a manual process
Security spends more time navigating manual processes than
responding to vulnerabilities, which leads to an insurmountable
response backlog
Figure 8. Perceptions about the challenges security teams face
11 CyberseCurity in OperatiOnal teChnOlOgy: 7 insights yOu need tO KnOw, MarCh 2019
CONCLUSIONOrganizationsintheOTsectorarealigningtheir2019securityprioritiestoaddresstheirmostsignificantworriesin2019.Thesurveyresultssuggestmultiplerecommendationsforimprovingsecurityin2019andbeyond:
• Improve communication with the C-suite and board of directorsaboutthecyberthreatsfacingtheorganization.Thiswillhelpidentifyandaddressgapsamongtheorganization’sriskappetiteandactualriskexposure.
• Improve visibility into the attack surface.BlindspotscanresultinunmanagedandunsecuredITandOTsystems.Completevisibilityisrequiredfororganizationstoassesstheirrisk.
• Increase the use of automated processes to compensate for the security staff shortage.
• Continue to recognize the security impact of interdependencies between IT and OT systems.VulnerabilitiesandotherweaknessesinITsystemscanputinterconnectedOTsystemsatrisk,andviceversa.
NeedhelpgettingvisibilityintoyourOTinfrastructure?Checkouttheblogpost,“Gaining Greater Insight into Operational Technology Environments.”
12 CyberseCurity in OperatiOnal teChnOlOgy: 7 insights yOu need tO KnOw, MarCh 2019
Pleasewriteto [email protected] or call 800.887.3118ifyouhaveanyquestions.
Ponemon Institute
Advancing Responsible Information Management
PonemonInstituteisdedicatedtoindependentresearchandeducationthatadvanceresponsibleinformationandprivacy-managementpracticeswithinbusinessandgovernment.Ourmissionistoconducthighquality,empiricalstudiesoncriticalissuesaffectingthemanagementandsecurityofsensitiveinformationaboutpeopleandorganizations.
Weupholdstrictdataconfidentiality,privacyandethicalresearchstandards.Wedonotcollectanypersonallyidentifiableinformationfromindividuals(orcompanyidentifiableinformationinourbusinessresearch).Furthermore,wehavestrictqualitystandardstoensurethatsubjectsarenotaskedextraneous,irrelevantorimproperquestions.
7021 Columbia Gateway Drive Suite 500 Columbia, MD 21046
North America +1 (410) 872-0555
www.tenable.com
COPYRIGHT 2019 TENABLE, INC. ALL RIGHTS RESERVED. TENABLE, TENABLE.IO, TENABLE NETWORK SECURITY, NESSUS, SECURITYCENTER, SECURITYCENTER CONTINUOUS VIEW AND LOG CORRELATION ENGINE ARE REGISTERED TRADEMARKS OF TENABLE, INC. TENABLE.SC, LUMIN, ASSURE, AND THE CYBER EXPOSURE COMPANY ARE TRADEMARKS OF TENABLE, INC. ALL OTHER PRODUCTS OR SERVICES ARE TRADEMARKS OF THEIR RESPECTIVE OWNERS.