We May Be Overlooking OT Security

According to a recent report by TUV Rheinland "Study 2020 on the state of industrial safety" a lack of a holistic view of security is exposing the inner systems of industrial plants and critical infrastructure. 

The study, done by TUV Rheinland and the Ponemon Institute, found that hackers are already pouncing on this opportunity. They are targeting devices and systems that control or monitor industrial processes — such as motors, pumps or valves. 

"OT systems differ in function and technology from classic corporate IT. At the same time, successful cyberattacks on OT systems often cause particularly high levels of damage to the companies affected,” said Petr Láhner, executive vice president of the Business Stream Industrial Service & Cybersecurity at TUV Rheinland. 

“We have therefore placed the Cybersecurity of Operational Technology at the center of our study, following on from the findings of the first study on this subject in 2019,” he added. 

The study surveyed over 2,200 cybersecurity experts worldwide from the automotive, health and pharmaceutical, logistics and transport, mechanical engineering, oil and gas and utility sectors. It showed that 57% of respondents expect their firms’ OT systems to be attacked. 

Almost half (48%) are convinced that cyber threats pose a greater risk to OT systems than to the IT environment. Cyber threats to OT systems have increased over the past year, said 47% of respondents.  

The attacks are usually phishing, social engineering and extortion software (ransomware) — the same varieties that are creating a menace in IT. It offers an opportunity for companies to coordinate their IT and OT efforts. 

Yet, this is not occurring. Sixty-three percent in the survey felt that the security measures for IT and OT systems are not coordinated in their companies.

“A holistic view of the security of industrial plants is often still lacking. In an increasingly networked world, industrial plants are only really secure if both their IT and OT cybersecurity are addressed,” said Láhner.

The study called for a rebalancing of efforts to coordinate IT and OT security. 

However, good coordination is just a first step. Companies also need to tailor their cybersecurity measures to the specific requirements for OT. 

“For example, some control systems may have limited cybersecurity controls in place and could subsequently be vulnerable to cyber threats. To do this, companies have to assess their OT cyber risk and invest time and money for best effect,” he said. 

Again, many companies are not doing this as well. “It is alarming that in the view of the experts surveyed, there are too few financial or professional resources available for OT security,” Láhner explained. 

The problem is that hackers know this very well.