Lack of personnel, an over-reliance on manual processes, and a lack of visibility into the attack surface resulted in nine out of ten critical infrastructure firms suffering at least one successful cyber attack in the last two years that damaged their environments.
This was revealed in a survey of professionals at companies that have deployed industrial control systems and operational technology, 62 percent of whom also said that their organisations had been impacted by at least two cyber incidents in the past two years.
The biggest reason behind cyber criminals breaching IT systems of critical infrastructure firms has been the acute lack of visibility of IT security teams over what systems are part of their IT environments. Such lack of visibility, which plagues 80% of critical infrastructure organisations, has also resulted in organisaions not being able to completely secure the attack surface.
While 61% of professionals said lack of personnel was holding them back from preventing business-impacting cyber attacks, 55% of them said existing reliance on manual processes was the number reason for their failure.
70% of professionals believe that increased communication with executives and board members will help critical infrastructure firms in preventing business-impacting cyber attacks in the future.
"OT professionals have spoken — the people who manage critical systems such as manufacturing plants and transportation almost unanimously state that they are fighting-off cyberattacks on a regular basis,” said Eitan Goldstein, senior director of strategic initiatives, Tenable.
"Organisations need visibility into their converged IT/OT environments to not only identify where vulnerabilities exist but also prioritize which to remediate first. The converged IT/OT cyber problem is one that cybersecurity and Critical Infrastructure teams must face together," Goldstein added.
"The issue with industrial systems is that many of them are old, ten to twenty years old in some cases, and there is not necessarily a practical way to upgrade them due the criticality of their availability. Industrial networks were designed before cyber threats emerged and as a result, they lack the visibility and policy enforcement layers that enterprise IT networks have," said Sylvain Gil, Vice President Products & Co-founder at Exabeam.
"We need more insight into the behaviours of these systems. They are rudimentary and were never thought to be vulnerable to people outside the operating facility – but they certainly are. We’ve seen enough examples that we know they can be manipulated, not just in terms of being used for cybercrime, but they can actually have physical consequences, as well, like a shutdown or explosion," Gill added.
Cyber attacks caused outages in 70% of critical infrastructure firms
Last year, a Freedom of Information request by security firm Corero Network Security revealed that around 70 percent of critical infrastructure organisations in the UK suffered from service outages, many of them due to cyber-attacks in the previous two years.
"Service outages and cyber attacks against national infrastructure have the potential to inflict significant, real-life disruption by preventing access to essential services such as power, transport, and the emergency services.
"The fact that so many infrastructure organisations have suffered from service outages points to an alarming lack of resilience within organisations that are critical to the functioning of UK society," said Andrew Lloyd, President at Corero Network Security.
"The head of the National Cyber Security Centre has already warned that it is a matter of when, not if, the UK experiences a devastating cyber attack on its critical infrastructure. The study poses serious questions about the UK’s current capability to withstand such an attack," he added.