Despite OT security increasingly becoming a mainstream concern, only 27% of companies delegate budget control over securing their operations infrastructure to their CISOs or CSOs, according to global analysis by cybersecurity provider Opswat.
Where this is not the case, critical industrial control system (ICS) and OT requirements are overlooked or ignored in budget allocation.
Nearly half of the organizations surveyed by Opswat spend just a quarter of their security budget on critical infrastructure protection — this despite 27% reporting they had experienced one or more security incidents related to their control systems in the past 12 months.
“Cybersecurity budgets have increased, but a large portion of these investments are still focused on traditional business systems like IT,” said Holger Fischer, director of sales for EMEA Central at Opswat, commenting on the results.
This leads to ICS/OT environments being unprepared for cyberthreats, jeopardizing the company as a whole, the security specialist warned.
Cross-sector security strategy required
Nearly three out of every five (58%) respondents stated that attacks on OT networks initially occurred through a compromise of IT. Other attack vectors include internet-connected devices (33%), compromise of engineering workstations (30%), and exploited publicly accessible applications (27%).
“This highlights the interconnectedness of IT and OT environments and demonstrates the importance of integrated security strategies to combat cross-domain vulnerabilities,” the study authors conclude.
According to Fischer, targeted investment in ICS/OT-specific security training is necessary to effectively protect critical infrastructure. This would give people who monitor ICS controllers a deep understanding of control system networks.
“Companies that fail to reassess the threats to their ICS environments are exposing their critical infrastructures to increasingly sophisticated attacks. Protecting these technical systems is no longer an option, but critical to operational resilience and national security,” he said.
See also: