The landscape of Operational Technology (OT) cybersecurity is shifting at an unprecedented pace. Two reports released recently—the Fortinet 2023 State of Operational Technology and Cybersecurity Report and the Cyber News Centre (CNC) report dated August 24, 2023—highlight this evolving scenario with critical insights that should serve as a wake-up call for decision-makers globally.
Unmasking Vulnerabilities in a Digital World
Both reports converge on the grim reality that our connected world, although filled with promise, also raises concerns around increased vulnerabilities in national infrastructures. The Fortinet report stresses that nearly 32% of organisations experienced ransomware attacks, a number that has remained unchanged from last year. This stagnation in combating ransomware is alarming, especially given that OT is becoming more central to the broader cybersecurity landscape.
The CNC editorial report goes a step further by emphasising that the move towards standardisation in software is presenting more significant threats than ever before. This standardisation inadvertently provides cybercriminals and state actors more straightforward paths to exploit vulnerabilities, a sentiment echoed by Robert M. Lee, CEO of Dragos. The 27% spike in vulnerabilities and the increased focus of state actors on OT sectors, as revealed by recent studies including Dragos' "2022 ICS/OT Cybersecurity Year in Review," underscores this.
A Changing Landscape—State Actors Are the New Threat
State-sponsored cyber attacks targeting OT sectors have escalated, becoming "the new frontiers in cyber warfare," as the CNC report notes. The Fortinet study corroborates this by highlighting that while insider breaches have declined, the threats from sophisticated external actors have increased. This coordinated focus on OT sectors from state actors is a significant paradigm shift that requires immediate attention.
The Good, The Bad, and The Ugly of Governance
Governments worldwide are not sitting idle. The Australian government’s new Cyber and Infrastructure Security (CICS) division and Singapore's partnership with Dragos signify the growing awareness and urgency to counter these threats. However, is this enough? The Fortinet report indicates a “solution sprawl,” where the absence of uniform policies across the IT and OT landscape is creating potential gaps for exploitation.
Towards a Realistic Self-Assessment and Action
One encouraging aspect in the Fortinet report is the more realistic self-assessment by organisations regarding their cybersecurity maturity. While the number of respondents considering their cybersecurity to be at Level 4 dropped from 21% to 13%, those at Level 3 increased from 35% to 44%. This more pragmatic view is essential for taking effective measures, but it also signifies that much work is still needed.
Time for Collective Action
The time for acknowledging the problem is over; now is the time for collective action. Both reports serve as compelling calls to action, pointing out that cyber adversaries are becoming increasingly sophisticated, targeting national infrastructures and OT systems.
While it's encouraging to see governments taking initiatives and OT cybersecurity moving out of the shadows and into the boardroom, this is not the time for complacency. The challenges are multifaceted, involving technological loopholes, advanced threats, and governance gaps. In a world increasingly dependent on interconnected digital systems, we can neither afford ignorance nor inaction when it comes to securing our OT infrastructures.
As the saying goes, "Knowing is not enough; we must apply. Willing is not enough; we must do." Let's hope that by the time next year’s reports roll out, we can talk about the significant strides we’ve made rather than the vulnerabilities we’ve newly discovered.
