CNI organisations demonstrate strong appetite for digital transformation but misplaced confidence could be putting organisations at risk
The majority (86%) of critical national infrastructure (CNI) organisations’ have detected cyber attacks on their Operational Technology (OT) or Industrial Control Systems (ICS) in the last 12 months, with 93% of these admitting experiencing at least one successful attack, according to new research from Bridewell.
These findings come despite over three quarters (78%) saying they are confident that their OT systems are protected from cyber threats, highlighting a degree of misplaced confidence in CNI cyber security. The research, which surveyed 250 UK IT decision makers in the aviation, chemical, energy, transport, and water sectors, found that organisations are facing increasing risks posed by ageing legacy infrastructure that is becoming increasingly connected.
The majority (79%) of organisations rely on OT systems that are between 6-20 years old, with a third (34%) between 11-20 years old. Systems are also increasingly accessible with 84% confirming that their OT / ICS environments are accessible from corporate networks and only 42% stating their OT / ICS environments are not accessible from the Internet. Furthermore, over half of those that said systems are not accessible from the Internet plan to make them accessible in the future, potentially widening the attack surface and introducing new threats.
Trusted Third Party Suppliers and Partners
The research also shows CNI organisations generally trust third party suppliers and partners, with the supply chain seen as the lowest risk. However, the National Cyber Security Centre (NCSC) and revisions to the NIS Directive (NIS 2) have identified the supply chain as a significant area of risk for CNI organisations, indicating a possible educational challenge over certain cyber threat vectors.
The report highlights some nuances between how some CNI organisations perceive their cyber security posture versus reality. Security vulnerabilities, whilst challenging to remediate within some CNI organisations, could have serious implications, not just in terms of substantial monetary fines but also risks to public safety and even loss of life, so organisations simply cannot afford to be complacent.
Covid-19 has also intensified cyber threats with half of CNI organisations experiencing increased attacks since the pandemic began. Yet nearly a third (32%) have reduced their cyber security budgets in response. This is putting increasing pressure on IT and security teams with 85% agreeing they have felt an increasing pressure to improve cyber security controls for the OT / ICS environment in the last 12 months.
Security Assurance Activities
Encouragingly, nearly all (99%) of organisations are carrying out some form of security assurance activities. However, less than half conduct penetration testing (42%) and only just over a third (37%) carry out red team assessments, vital activities that can identify vulnerabilities and reduce the likelihood of successful attacks.
This could be due to fear of system impact, inadvertently caused by testing, lack of knowledge or a view that the system is not at risk due to its closed connections to the Internet. Lack of skills and an increased requirement to take on more tasks and responsibilities are cited as the top challenges facing security teams across CNI today (both cited by 23% of respondents). The problem is not set to improve with 84% of organisations agreeing the UK’s CNI industry will be impacted by a critical cyber security skills shortage in the next 3 to 5 years.
Legislation like the NIS Directive and NIS Regulations has certainly helped to improve cyber security in the sector, but there is still room for improvement. Proactive cyber security activities such as vulnerability management, penetration testing, patching and threat assessments should be standard practice across the industry. This can be a challenge when balanced against the operational demands of the business, particularly in areas like patching where availability may be king. However, the bad guys don’t care, so organisations, government and industry experts need to continue to work cohesively to help solve these challenges before it’s too late.
Bridewell is a cyber security services company providing global, 24x7 managed detection and responses services and cyber security consultancy. Contact us today for more information.
With extensive experience in delivering large-scale transformational projects in highly regulated environments, Bridewell enables organisations to drive strategic change securely, providing a full breadth of end-to-end cyber security services. Its expert team comprises of a diverse range of highly skilled consultants, supported by industry leading technology, deep technical expertise, accredited methodologies and a client-centric business driven approach.
Bridewell delivers a vast number of services across critical national infrastructure, aviation, financial services, government and oil and gas. The company hold a number of industry accreditations including NCSC, CREST, ASSURE, IASME Consortium, Cyber Essentials Plus, ISO27001, ISO9001 and are PCI DSS QSA Company.