Nearly 60% of executives at critical infrastructure operators polled in a recent survey said they lack appropriate controls to protect their environments from security threats.
While organizations have made significant investments to secure their IT infrastructures, they have not fully addressed threats to operational technology (OT) environments: 57 out of 100 executives from various critical infrastructure organizations surveyed by Indegy said they are not confident that their enterprise nor other infrastructure companies are in control of OT security.
The poll also underscores the lack of preparedness in key sectors, including energy, utilities and manufacturing. For instance, 35% of respondents said they have little visibility into the current state of security within their environment, while 23% reported they have no visibility. Meanwhile, 63% said that insider threats and misconfigurations are the biggest security risks they currently face.
“We have been tracking the escalation in cyber-threat activity specifically targeting critical infrastructures for some time,” says Barak Perelman, CEO of Indegy. “As the recent joint DHS/FBI CERT Technical Alert illustrates, adversaries have compromised facilities across the US to conduct reconnaissance and likely develop ‘red button’ capability for future attacks.”
The two agencies issued a joint alert saying that Russian government cyber-actors are actively targeting organizations in the US energy, nuclear, commercial facilities, water, aviation, government and critical manufacturing sectors. They characterized the activity as a “multi-stage intrusion campaign,” where the hackers first targeted peripheral organizations such as trusted third-party suppliers with less-secure networks and through them gain remote access into energy-sector networks.
The good news is that in tandem with this, 44% of all respondents indicated that their organizations plan to increase spending for industrial control system (ICS) security measures in the next 12–24 months. About a third (29%) reported that they were not sure.