88% of UK energy organisations have detected cyber attacks on their Operational Technology (OT) or Industrial Control Systems (ICS) environments in the last 12 months, with 91% of these encountering at least one successful attack, according to new research from independent cyber security services company Bridewell.
These findings come despite 86% of energy organisations saying they are confident that their OT systems are protected from threats, highlighting a degree of misplaced confidence in CNI cyber security in the sector.
The research, which surveyed 250 UK IT decision makers in the aviation, chemical, energy, transport, and water sectors, found that energy is the most confident sector when it comes to cyber security. However, organisations facing increasing risks posed by ageing legacy infrastructure that is becoming increasingly connected.
The majority (72%) of energy organisations rely on OT systems that are between 6-20 years old, with over a quarter (26%) between 11-20 years old. Systems are also increasingly accessible with 94% confirming that their OT / ICS environments are accessible from corporate networks. Less than a third (30%) say systems are not currently accessible from the Internet, and of those, 60% plan to make them accessible in the future, potentially widening the attack surface and introducing new threats.
“The research highlights some nuances between how some organisations in the energy sector perceive their cyber security posture versus reality” says Scott Nicholson, Co-CEO at Bridewell.
“The sector has the highest levels of confidence in cyber security, yet it is the most likely to have made OT environments internet-accessible. Security vulnerabilities, whilst challenging to remediate within some organisations, could have serious implications, not just in terms of substantial monetary fines but also risks to public safety and even loss of life, so organisations simply cannot afford to be complacent.”
Covid-19 has also intensified cyber threats with nearly half (44%) of UK energy organisations experiencing increased attacks since the pandemic began. Yet nearly a third (30%) have reduced cyber security budgets in response. This is putting increasing pressure on IT and security teams with 80% agreeing they have felt an increasing pressure to improve cyber security controls for the OT / ICS environment in the last 12 months.
Encouragingly, 98% of organisations are carrying out some form of security assurance activities. However, less than half (48%) carry out penetration testing and only 36% conduct red, blue or purple team exercises, vital activities that can identify vulnerabilities and reduce the likelihood of attacks.
This could be due to mounting pressures, with too much workload cited as the top challenge facing cyber security teams today (cited by 34% of respondents), followed by keeping up-to-date with changes in the cyber security industry (26%). Skills are also a worry as while 80% believe they have the right skills in place to maintain and secure their OT environment, 86% agree the UK’s CNI industry will be impacted by a critical cyber security skills shortage in the next 3 to 5 years.
“The energy sector has the highest levels of confidence in having the right skills to maintain and secure OT environments, but there are still areas for improvements in cyber security. Assurance activities, such as penetration testing and red team assessments, need to be standard practice across the whole industry and organisations, government and industry experts need to continue to work cohesively to plug any future skills gaps and mitigate risks before it’s too late,” Scott Nicholson