A survey commissioned by cybersecurity firm Barracuda shows that while most organizations using operational technology (OT) or industrial IoT (IIoT) systems have experienced a security incident, impact was smaller for those that have invested more in security.
Barracuda’s report, titled “The state of industrial security in 2022,” is based on a survey of 800 individuals responsible for IIoT/OT in organizations with more than 500 employees in the US, the EMEA region, and Australia.
Ninety-four percent of respondents said their organization had experienced at least one security incident within the past year, and the incident likely impacted their IIoT/OT infrastructure.
In total, 11% said they had suffered significant impact (complete shutdown of all devices and locations) and 47% said the incident had moderate impact (disruption of a large number of devices or at several locations). Sixty-five percent said their operations were impacted for at least two days.
These findings are not surprising. Previous studies showed that OT systems are increasingly targeted by a rising number of threat actors, and many incidents result in outages that put physical safety at risk.
Barracuda’s study, however, found that investing in cybersecurity does appear to pay off, with organizations that had already completed some IIoT/OT security projects more likely to suffer no impact as a result of a significant incident.
Overall, 32% of organizations have completed IIoT/OT security projects and 42% are in the process of completing one. The oil and gas, telecommunications, energy, retail, and government industries account for the highest percentages when it comes to completed security projects.
Learn More About OT Security at SecurityWeek’s ICS Cyber Security Conference
The study also found that the bigger the organization, the more likely they are to have completed security projects and to have deployed various security technologies.
“Analyzing the state of IIoT/OT security projects when grouping organizations by the number of employees, apparently enterprises with more than 5,000 employees are more likely to have completed projects already, whereas the majority of small companies are still working on it,” according to the report.
Companies that reported suffering no or minimal impact are more likely to have implemented technologies such as industrial protocol detection and enforcement, antivirus or intrusion prevention system, web application firewall, segmentation, anomaly detection, advanced threat protection, and network traffic encryption.
“Overall, out of respondents that already implemented IIoT/OT security and think it works well, enterprise organizations represent the majority, and it seems smaller businesses have made less progress in implementing their security strategy. There is a clearly visible relation between the implementation status of security measures and the size of the organization,” Barracuda said.
While some organizations have implemented security projects, others plan on doing so in the next months. A vast majority of respondents said they did attempt to implement a project at some point, but it failed due to various reasons, including because it took too long to implement, the tech was too expensive, due to not being able to find the right solution, or due to no one taking clear responsibility for the project.
The study also found that organizations where security updates are applied automatically are less likely to experience a complete shutdown compared to companies where updates are installed manually.
Twenty-one percent of respondents said IIoT/OT devices are patched daily, and more than 50% said they are applied weekly or monthly. Government agencies apply patches the most often, followed by the manufacturing, distribution and transportation, wholesale, and retail sectors.
Related: New Dragos OT-CERT Provides Free Industrial Cybersecurity Resources
Related: ICS Vendors Respond to OT:Icefall Vulnerabilities Impacting Critical Infrastructure