Security incidents are ubiquitous in industrial IoT and OT, survey finds

Uh oh, there’s IT in my OT: Security firm Barracuda’s recently released 2022 State of Industrial Security report found that 94% of 800 senior IT, security, and project managers responsible for safeguarding industrial IoT or operational technology at their organization have faced down at least one security incident within the last 12 months. Among respondents who work in government—–a sector that might be especially attractive targets for well-organized and sometimes state-backed cybercriminals—–as well as in mining and metals and oil and gas, that figure rose to 100%.

Just 13% of respondents said that operations were impacted for less than one day; 65% reported impacts lasting for two days or more.

Preventative measures help, but are hard to pull off: Many companies are failing to take basic security precautions when it comes to operational technology, according to the survey: Just 18% restrict network access as well as require multi-factor authentication for remote connections. Some other takeaways:

• Of those who reported no impact from their biggest security incident over the last 12 months, 75% said they had already completed some industrial IoT/OT security projects.
• Of those who experienced a significant impact, just 30% reported already having completed those projects.

Over 9 in 10 managers reported failures in security on their industrial IoT, with the top two explanations being that the project either took too long or cost too much. Respondents also reported scalability, the actual level of security provided, lack of control over external devices joining the network, and the difficulties of managing a distributed environment as the most common challenges they had faced or expected to face from implementation. While around half of respondents said their organizations had implemented some form of segmentation, just 6% reached the highest and most complicated level of security—micro-segmentation, which isolates machines on separate network segments.

Barracuda’s SVP for data protection, network, and application security Tim Jefferson told CSO Online, “unfortunately IIoT/OT security projects often take a backseat to other security initiatives or fail due to cost or complexity, leaving organizations at risk.”—TM

Do you work in IT or have information about your IT department you want to share? Email [email protected] or DM @thetomzone on Twitter. Want to go encrypted? Ask Tom for his Signal.