Connect with us

Hi, what are you looking for?



Investment in IIoT/OT Security Leads to Reduced Incident Impact: Study

A survey commissioned by cybersecurity firm Barracuda shows that while most organizations using operational technology (OT) or industrial IoT (IIoT) systems have experienced a security incident, impact was smaller for those that have invested more in security.

A survey commissioned by cybersecurity firm Barracuda shows that while most organizations using operational technology (OT) or industrial IoT (IIoT) systems have experienced a security incident, impact was smaller for those that have invested more in security.

Barracuda’s report, titled “The state of industrial security in 2022,” is based on a survey of 800 individuals responsible for IIoT/OT in organizations with more than 500 employees in the US, the EMEA region, and Australia.

Ninety-four percent of respondents said their organization had experienced at least one security incident within the past year, and the incident likely impacted their IIoT/OT infrastructure.

In total, 11% said they had suffered significant impact (complete shutdown of all devices and locations) and 47% said the incident had moderate impact (disruption of a large number of devices or at several locations). Sixty-five percent said their operations were impacted for at least two days.

OT incident impact

These findings are not surprising. Previous studies showed that OT systems are increasingly targeted by a rising number of threat actors, and many incidents result in outages that put physical safety at risk.

Barracuda’s study, however, found that investing in cybersecurity does appear to pay off, with organizations that had already completed some IIoT/OT security projects more likely to suffer no impact as a result of a significant incident.

Overall, 32% of organizations have completed IIoT/OT security projects and 42% are in the process of completing one. The oil and gas, telecommunications, energy, retail, and government industries account for the highest percentages when it comes to completed security projects.

Advertisement. Scroll to continue reading.

Learn More About OT Security at SecurityWeek’s ICS Cyber Security Conference

The study also found that the bigger the organization, the more likely they are to have completed security projects and to have deployed various security technologies.

“Analyzing the state of IIoT/OT security projects when grouping organizations by the number of employees, apparently enterprises with more than 5,000 employees are more likely to have completed projects already, whereas the majority of small companies are still working on it,” according to the report.

Companies that reported suffering no or minimal impact are more likely to have implemented technologies such as industrial protocol detection and enforcement, antivirus or intrusion prevention system, web application firewall, segmentation, anomaly detection, advanced threat protection, and network traffic encryption.

“Overall, out of respondents that already implemented IIoT/OT security and think it works well, enterprise organizations represent the majority, and it seems smaller businesses have made less progress in implementing their security strategy. There is a clearly visible relation between the implementation status of security measures and the size of the organization,” Barracuda said.

While some organizations have implemented security projects, others plan on doing so in the next months. A vast majority of respondents said they did attempt to implement a project at some point, but it failed due to various reasons, including because it took too long to implement, the tech was too expensive, due to not being able to find the right solution, or due to no one taking clear responsibility for the project.

The study also found that organizations where security updates are applied automatically are less likely to experience a complete shutdown compared to companies where updates are installed manually.

Twenty-one percent of respondents said IIoT/OT devices are patched daily, and more than 50% said they are applied weekly or monthly. Government agencies apply patches the most often, followed by the manufacturing, distribution and transportation, wholesale, and retail sectors.

Related: New Dragos OT-CERT Provides Free Industrial Cybersecurity Resources

Related: ICS Vendors Respond to OT:Icefall Vulnerabilities Impacting Critical Infrastructure

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...