KPMG and the Control System Cyber Security Association International (CS)2AI today released their first annual report on the cybersecurity of Control Systems (CS) and Operational Technology (OT).
The inaugural "CS/OT Cyber Security Report" is based on the findings of a survey that questioned 16,000 professionals responsible for protecting and defending assets and systems worth millions to billions in capital investment.
“The survey reveals a clear relationship between the failure to focus on the data and metrics needed to enhance security, as well as inadequate levels of maturity for OT security programs,” said Derek Harp, founder and chairman of (CS)2AI.
"This report, the first of multiple research products our organization is proud to initiate, offers insight into points of failure and areas of success in this industry.”
A key finding of the survey highlighted by Harp was the revelation that fewer than 25% of companies have incorporated an active defense of their control systems and assets.
Notable findings shared in the report were that 47% of organizations with more mature CS security programs use managed CS security services versus just 6% of those with less mature programs. And, while 63% of those with mature programs frequently replace vulnerable CS hardware or software after assessment, this was true of only 34% of those with less mature programs.
End-to-end security assessments were found to be conducted more frequently by organizations with mature CS security programs. And, while monitoring of all CS networks was carried out by over half (53%) of these organizations, this action was only taken by 16% of organizations with less mature programs.
“Enterprise organizations continue to struggle to address cybersecurity vulnerabilities across control systems and operational technology environments, which can have a material impact on human safety and their businesses’ bottom line,” said Walter Risi, global cyber IoT leader and technology consulting practice leader, KPMG in Argentina.
The CS/OT cybersecurity report was launched to provide business leaders and practitioners with valuable data-driven insights that will help them create an actionable plan.
“If businesses don’t take appropriate action soon to mitigate risks, regulators and governments will," said Risi.