Takeaways on the State of OT Security and the Cyber Supply Chain

Anyone who has seen the news lately knows that supply chain attacks are getting a lot of attention. Given the sophistication of today's attacks, the complexity of operational technology (OT) systems and networks, and the convergence between IT and OT, cybersecurity certainly is not getting any easier for CISOs.

An ESG Research Insights Report, "Assessing the State of OT Security and the Cyber Supply Chain" highlights the difficulties organizations are having providing consistent security for OT security systems. Based on a survey of senior IT, cybersecurity, and OT professionals, the implications of the challenges for OT are stark. Two-thirds (66%) of organizations reported known or suspected successful OT attacks in the last 12 months, and nearly half of those organizations (44%) experienced a disruption of business processes leading to cancelled orders, financial penalties, and missed deliveries. Respondent reported that the incidents led to:

• Lost productivity. Although 38% of respondents that suffered an attack cited lost business productivity, an additional 67% indicated a related impact, which was the effect on productivity from the significant IT time and personnel that were required for remediation.
• Data loss. More than half (52%) of respondents said an OT attack resulted in the breach of confidential data, and 32% had to publicly disclose a data breach. Both have an effect on brand reputation, shareholder value, and customer confidence.
• Personnel impact. One in five (21%) respondents indicated that an OT attack had an impact on personnel, including termination or prosecution. 

Increased Complexity and Risk from the Expansion of OT Security and Cyber Supply Chains 

Ensuring the integrity of the cyber supply chain is a significant challenge for OT security professionals. Supply chains continue to grow, and the survey indicates that organizations have an average of 27 third parties as part of their cyber supply chains, which span across different types of IT providers, OT providers, and channel partners. Many of these third parties have access to internal assets, a fact that has serious security implications. Additionally, fragmentation of the supply chain and shortages because of the pandemic forced organizations to source from alternative suppliers. Only 30% of respondents rated their organizations as "very resilient" in terms of responding to an attack.

Despite Partner Auditing, Attacks Still Occur within OT Security 

Although ongoing auditing of supply chain partners is typically performed, many organizations are forced to prioritize due to limited resources. And the risks from third-party partners are real; 71% of respondents believe that most or all of the OT attacks their organization had suffered in the last 12 months began with supply chain partners. 

To reduce the risks from third-party partners, organizations should consider a variety of factors before purchasing IT and OT products and services

• Reputation. A vendor’s overall industry reputation and its reputation with regard to security should both be considered.
• Processes and certifications. Respondents consider ISO certification an important consideration along with less formal factors such as a vendor’s risk management, secure product development processes, and emergency response procedures.
• Partners and location. Respondents were less concerned with the use of third parties for development, manufacturing, testing, and maintenance. 

Communication and Collaboration Continue to Be a Struggle

Managing third-party suppliers and securing OT environments requires collaboration across functional areas, but lack of clarity around responsibilities and communication across multiple organizational groups continues to be a top challenge for organizations. A lack of executive ownership and issues related to the chain of command only add to the problems. Workflow issues linked to collaborative tasks and the fact that different groups are often measured on different goals also create potential roadblocks to success.

No Easy Answers When it Comes to OT Security

The continuing convergence of IT and OT networks and the expansion of supply chains has undeniably made cybersecurity more difficult. Although there are no easy answers to the challenges organizations face, the ESG report suggests that these practices are good places to start:

• Ensure consistent auditing across as many supply chain partners as possible. 
• Ensure the correct and most effective tools are in place. 
• Promote successful cross-functional collaboration.