SPONSORED BY TENABLE Independently conducted by Ponemon Institute LLCMarch 2019

Cybersecurity in Operational Technology: 7 Insights You Need to Know

2 CyberseCurity in OperatiOnal teChnOlOgy: 7 insights yOu need tO KnOw, MarCh 2019

1 Wesurveyed2,410ITandITsecuritypractitionersintheUnitedStates,UnitedKingdom,Germany,Australia,MexicoandJapanandthefindingswerepresentedinapreviously released report, Measuring & Managing the Cyber Risks to Business Operations.

2 The OT sector in this study includes respondents in energy & utilities, health & pharma, industrial & manufacturing and transportation.

Cybersecurity in Operational Technology: 7 Insights You Need to Know

EXECUTIVE SUMMARYCybersecurity in Operational Technology: 7 Insights You Need to Know,whichwassponsoredbyTenable®andconductedbyPonemonInstitute,revealsthatalackofvisibilityintotheattacksurface,inadequatesecuritystaffingandrelianceonmanualprocessesundermineoperationaltechnology(OT)sectororganizations’statedrequirementstoprotectOTandIoTinfrastructurefromdowntime.

Thisreportisbasedonouranalysisofasubsetof701respondentsfromMeasuring & Managing the Cyber Risks to Business Operations1whoseorganizationsfallintotheOTsector2–definedasindustriesdependentuponindustrialcontrol systems (ICSs) and other operational technology. All respondents are involved in their organizations’ evaluation and/ormanagementofinvestmentsinITand/orOTcybersecuritysolutions.Becausetoday’soperationalsystemsrelyonbothOTandITassets,wehaveinvestigatedIT,OTandIoT.

Thefollowingsummarizesthekeyfindings:

1. Cyberattacks are relentless and continuous against OT environments. Most organizations in the OT sector have experiencedmultiplecyberattackscausingdatabreachesand/orsignificantdisruptionanddowntimetobusinessoperations,plantsandoperationalequipment.Manyhavesufferedfromnation-stateattacks.

2. The C-level is heavily involved in the evaluation of cyber risk.C-leveltechnology,securityandriskofficersaremostinvolvedintheevaluationofcyberriskaspartoftheirorganization’sbusinessriskmanagement.

3. Nearly half of organizations attempt to quantify risk from cyber events. 48% of organizations in the OT sector (vs 38% inthenon-OTsector)attempttoquantifythedamageacybereventcouldhaveontheirbusiness–andthey’remostlikelytoquantifytheimpactbasedondowntimeofOTsystems.

4. OT sector organizations expect significant threats in 2019.ConcernsaboutthirdpartiesmisusingorsharingconfidentialinformationandOTattacksresultingindowntimetoplantand/oroperationalequipmentincreasewhenlookingat2019.Worriesaboutnation-stateattackscontinueatasignificantlevel.

5. 2019 governance priorities vary.IncreasingcommunicationwiththeC-suiteandboardofdirectorsaboutcybersecuritythreatsfacingtheorganizationandensuringthirdpartieshaveappropriatesecuritypracticestoprotectsensitiveandconfidentialdataaretopprioritiesfor2019.

6. 2019 security priorities address sophisticated threats.Thetop2019securitypriorityistoimprovetheabilitytokeepupwiththesophisticationandstealthofattackers.Thisisn’tsurprisinggiventhesignificantnumberofOTsectororganizationsthathavesufferedanation-stateattackinthepast24months.

7. Organizations are challenged to improve cybersecurity.Feworganizationshavesufficientvisibilityintotheirattacksurface.Gainingrequiredvisibilitywillcontinuetobeachallengeduetoacombinationofstaffshortagesandheavyreliance on manual processes.

3 CyberseCurity in OperatiOnal teChnOlOgy: 7 insights yOu need tO KnOw, MarCh 2019

KEY INSIGHTSLet’stakeacloserlookateachofthefindings.

Finding #1: Cyberattacks are relentless and continuous.

AsshowninFigure1,90%ofOTorganizationsrepresentedinthisstudyhaveexperiencedatleastonedamagingcyberattackoverthepasttwoyearsand62%havehadtwoormore.Theseattackshaveresultedindatabreachesand/orsignificantdisruptionanddowntimetobusinessoperations,plantsandoperationalequipment.

0%

5%

10%

15%

20%

25%

30%

10%

28%

25%

13% 13%

7%

4%

0 1 2 or 3 4 or 5 6 or 7 8 or 9 10 or 11

Figure 1.OT sector organizations are experiencing multiple damaging cyberattacks

Number of cyberattacks experienced over the past 24 months

experienced at least one damaging cyberattack over the past two years

90%

4 CyberseCurity in OperatiOnal teChnOlOgy: 7 insights yOu need tO KnOw, MarCh 2019

Virtually all organizations in the OT sector rely on converged OT and IT systems. Therefore, the OT sector is concerned withweaknessesandattacksrelatingtoOTandITsystems,includingphishingscams.53%ofOTsectororganizationsreport that in the past 24 months an employee fell for a phishing scam resulting in credential theft (see Figure 2).

OTattackersoftenusecredentialsgainedinITenvironmentstopivotintoandattackOTinfrastructure.HalfofOTsector organizationssaythey’vehadatleastoneattackagainstOTinfrastructureinthepast24monthsthatresultedindowntimetoplantand/oroperationalequipment.Furthermore,23%reportatleastonenation-stateattackinthepast24months.

0% 10% 20% 30% 40% 50% 60%

An employee falls for a phishing scam that resultedin credential theft

Third party misuses or shares confidential informationwith other third parties

An attack against my company’s OT infrastructure thatresults in downtime to plant and/or operational equipment

An attack that involves IoT or OT assets

A significant disruption to business processescaused by malware

A cyberattack that causes significant downtime

Leakage of business-confidential information, such as emails

Economic espionage (theft of business-critical information)

A nation-state attack

Cyber extortion such as ransomware

A data breach involving 10,000 or more customeror employee records

Fines and/or lawsuits for non-compliance with dataprotection and privacy requirements

Other 3%

10%

17%

21%

23%

23%

29%

33%

37%

37%

45%

50%

53%

Figure 2. Cyber events experienced in the past 24 months

have experienced at least one attack against OT infrastructure that resulted in downtime in past 24 months

50%

5 CyberseCurity in OperatiOnal teChnOlOgy: 7 insights yOu need tO KnOw, MarCh 2019

Finding #2: The C-level is heavily involved in the evaluation of cyber risk.

Notsurprisingly,morethanhalf(60%)ofrespondentsreportthatC-levelexecutivesaremostinvolvedintheevaluationofcyberriskaspartoftheirorganization’sbusinessriskmanagement.Line-of-businessandplantmanagersaremostinvolvedonlyaboutone-third(37%)ofthetime.

0% 5% 10% 15% 20% 25% 30%

3%Other

8%Plant Management

29%Line of Business (LoB) Management

7%Chief Technology Officer

10%Chief Risk Officer

6%Chief Security Officer

12%Chief Information Security Officer

25%Chief Information OfficerFigure 3.Who is most involved in the evaluation of cyber risk as part or your organization’s business risk management?

report that C-level is most involved in the evaluation of cyber risk

60%

6 CyberseCurity in OperatiOnal teChnOlOgy: 7 insights yOu need tO KnOw, MarCh 2019

Finding #3: Nearly half of OT sector organizations attempt to quantify damage from cyber events.

NearlyhalfofOTsectorrespondents(48%)saytheirorganizationattemptstoquantifythedamagetothebusinessfromthethreatslistedinFigure4.Infact,quantifyingthedamagefromdowntimeofOTsystemsisratedasthehighestfactorwhenquantifyingoverallcyberrisk(seeFigure4).

OTdowntimecanresultinmillionsofdollarsoflostrevenue,productivity,etc.Forexample,theTaiwanSemiconductorManufacturingCompanyLtd.reportedthattheWannaCryinfectionwhichcrippledmultiplefactorieswouldreducequarterlyrevenuesby3%3–estimatedatmorethan$150million.

Figure 4.Factors used to quantify risk

0% 10% 20% 30% 40% 50%

Downtime of OT systems

Other

Decline in stock price

Employee turnover

Loss of market share

Customer turnover

Financial loss

Loss of employee productivity

Theft of intellectual property

Frequency of unpatched (known) vulnerabilities

0%

49%

45%

41%

40%

38%

33%

23%

19%

11%

say downtime of OT systems is biggest factor used to quantify risk

1/2

3 TSMS Details Impact of Computer Virus Incident

7 CyberseCurity in OperatiOnal teChnOlOgy: 7 insights yOu need tO KnOw, MarCh 2019

Finding #4: OT sector organizations expect significant threats in 2019.

• Third parties misusing or sharing confidential information:Althoughonly37%ofOTsectorrespondentsreportthat inthepast24monthsathirdpartymisusedorsharedconfidentialinformationwithotherthirdparties(seeFigure2), 65%listthethreatasoneofthetopfivetheyworryaboutin2019(seeFigure5)–makingitthebiggestexpectedthreatthis year. This isn’t surprising given many organizations in the OT sector rely on third parties to help them manage and maintain their OT infrastructure.

• OT attacks resulting in downtime are an increasing threat:While50%oforganizationsexperiencedanattackinthepast24monthsagainstOTinfrastructurethatresultedindowntimetoplantand/oroperationalequipment(seeFigure2),60%listitasoneofthethreatsthey’remostworriedaboutin2019(seeFigure5).

• Nation-state attack threats continue:Morethanone-fifth(21%)ofOTsectororganizationslistanation-stateattackasoneofthethreatsthey’remostworriedabout(seeFigure5).Nation-stateattacksareespeciallyconcerningintheOTsectorbecausethey’retypicallyconductedbywell-funded,highlycapablecybercriminalsandareaimedatcriticalinfrastructure.4

Figure 5. Most worrisome threats in 2019

0% 10% 20% 30% 40% 50% 60% 70%

Third party misuses or shares confidential informationwith other third parties

Leakage of business-confidential information, such as emails

An attack that involves IoT or OT assets

An attack against my company’s OT infrastructure thatresults in downtime to plant and/or operational equipment

A data breach involving 10,000 or more customeror employee records

An employee falls for a phishing scam that resultedin credential theft

Economic espionage (theft of business-critical information)

A cyberattack that causes significant downtime

A significant disruption to business processescaused by malware

A nation-state attack

Cyber extortion such as ransomware

Fines and/or lawsuits for non-compliance with dataprotection and privacy requirements

Other 1%

12%

19%

21%

33%

34%

35%

35%

39%

41%

60%

63%

65%

4 Refer to the US-CERT Technical Alert, “Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors”

are worried about an attack against OT infrastructure

60%

8 CyberseCurity in OperatiOnal teChnOlOgy: 7 insights yOu need tO KnOw, MarCh 2019

Finding #5: 2019 governance priorities vary.

IncreasingcommunicationwiththeC-suiteandboardofdirectorsaboutcybersecuritythreatsfacingtheorganizationisthenumber-onepriorityfor2019(seeFigure6).Thesecondpriorityisensuringthirdpartieshaveappropriatesecuritypracticestoprotectsensitiveandconfidentialdata.Thisobjectivealignsdirectlywiththemostworrisomethreatfor2019:third-partymisuseorsharingofconfidentialinformationwithotherthirdparties(seeFigure5).

0% 10% 20% 30% 40% 50% 60% 70% 80%

Increase communication with C-level and board of directorsabout the cyber threats facing our organization

Ensure third parties have appropriate security practicesto protect sensitive/confidential data

Increase staff training to prevent behavior such asfalling for a phishing scam or sharing passwords

Allocate more resources to vulnerability management

Increase the number of FTEs in our IT security function

Other 0%

39%

55%

59%

63%

70%

Figure 6. 2019 governance priorities

9 CyberseCurity in OperatiOnal teChnOlOgy: 7 insights yOu need tO KnOw, MarCh 2019

Finding #6: 2019 security priorities address sophisticated OT threats.

AsshowninFigure7,thetoptwopriorities,“Improveourabilitytokeepupwiththesophisticationandstealthoftheattackers”and“ReducetheriskofattackstotheOTinfrastructure,”alignwellwiththepreviouslydiscussedriskofnation-stateattacksagainstOTinfrastructure(seeFigure2).

0% 10% 20% 30% 40% 50% 60% 70% 80%

Other

Control the proliferation of IoT devices in the workplace

Reduce the risk of unsecured IoT devices in the workplace

Ensure third parties have appropriate security practicesto protect sensitive/confidential data

Improve controls over third parties’ access to oursensitive/confidential data

Reduce complexity in our IT security infrastructure

Improve protection of sensitive and confidential datafrom unauthorized access

Reduce the risk of attacks to the OT infrastructure

Improve our ability to keep up with the sophisticationand stealth of the attackers

2%

67%

56%

51%

49%

47%

47%

43%

18%

Figure 7. 2019 security priorities

10 CyberseCurity in OperatiOnal teChnOlOgy: 7 insights yOu need tO KnOw, MarCh 2019

Finding #7: Organizations are challenged to improve cybersecurity.

Visibility into the attack surface is insufficient

Usingafive-pointscaleofstronglyagreetostronglydisagree,only20%ofOTsectorrespondentsagreeorstronglyagreetheyhavesufficientvisibilityintotheirorganization’sattacksurface(seeFigure8).Thisisconcerningbecauseallsecuritycontrolsandprocessesdependonthevisibilityprovidedbycomprehensiveassetinventories.Acompletehardwareandsoftwareinventoryisfundamentaltoallsecurityframeworksandcompliancerequirements,includingtheCISControls,NISTFrameworkforImprovingCriticalInfrastructureCybersecurityandNERCCIP.

Inadequate staffing and manual processes limit vulnerability management

Thecybersecurityskillsshortagehasexacerbatedtheissuescreatedbyrelianceonmanualprocesses.Thisskillsshortageisespeciallyevidentinvulnerabilitymanagementbecauseorganizationsoftenlacksufficientvulnerabilitymanagementstaff to execute the manual processes.

Percentages represent combined Strongly Agree and Agree responses

20%I have sufficient visibility into

my organization’s attack surface

39%The security function of our organization has adequate

staffing to scan vulnerabilities in a timely manner

53% 55%Our organization is at a

disadvantage in responding to vulnerabilities because we use

a manual process

Security spends more time navigating manual processes than

responding to vulnerabilities, which leads to an insurmountable

response backlog

Figure 8. Perceptions about the challenges security teams face

11 CyberseCurity in OperatiOnal teChnOlOgy: 7 insights yOu need tO KnOw, MarCh 2019

CONCLUSIONOrganizationsintheOTsectorarealigningtheir2019securityprioritiestoaddresstheirmostsignificantworriesin2019.Thesurveyresultssuggestmultiplerecommendationsforimprovingsecurityin2019andbeyond:

• Improve communication with the C-suite and board of directorsaboutthecyberthreatsfacingtheorganization.Thiswillhelpidentifyandaddressgapsamongtheorganization’sriskappetiteandactualriskexposure.

• Improve visibility into the attack surface.BlindspotscanresultinunmanagedandunsecuredITandOTsystems.Completevisibilityisrequiredfororganizationstoassesstheirrisk.

• Increase the use of automated processes to compensate for the security staff shortage.

• Continue to recognize the security impact of interdependencies between IT and OT systems.VulnerabilitiesandotherweaknessesinITsystemscanputinterconnectedOTsystemsatrisk,andviceversa.

NeedhelpgettingvisibilityintoyourOTinfrastructure?Checkouttheblogpost,“Gaining Greater Insight into Operational Technology Environments.”

12 CyberseCurity in OperatiOnal teChnOlOgy: 7 insights yOu need tO KnOw, MarCh 2019

Pleasewriteto research@ponemon.org or call 800.887.3118ifyouhaveanyquestions.

Ponemon Institute

Advancing Responsible Information Management

PonemonInstituteisdedicatedtoindependentresearchandeducationthatadvanceresponsibleinformationandprivacy-managementpracticeswithinbusinessandgovernment.Ourmissionistoconducthighquality,empiricalstudiesoncriticalissuesaffectingthemanagementandsecurityofsensitiveinformationaboutpeopleandorganizations.

Weupholdstrictdataconfidentiality,privacyandethicalresearchstandards.Wedonotcollectanypersonallyidentifiableinformationfromindividuals(orcompanyidentifiableinformationinourbusinessresearch).Furthermore,wehavestrictqualitystandardstoensurethatsubjectsarenotaskedextraneous,irrelevantorimproperquestions.

7021 Columbia Gateway Drive Suite 500 Columbia, MD 21046

North America +1 (410) 872-0555

www.tenable.com

COPYRIGHT 2019 TENABLE, INC. ALL RIGHTS RESERVED. TENABLE, TENABLE.IO, TENABLE NETWORK SECURITY, NESSUS, SECURITYCENTER, SECURITYCENTER CONTINUOUS VIEW AND LOG CORRELATION ENGINE ARE REGISTERED TRADEMARKS OF TENABLE, INC. TENABLE.SC, LUMIN, ASSURE, AND THE CYBER EXPOSURE COMPANY ARE TRADEMARKS OF TENABLE, INC. ALL OTHER PRODUCTS OR SERVICES ARE TRADEMARKS OF THEIR RESPECTIVE OWNERS.