Is the Industry Getting Complacent?

Although 50% of the respondents to a 2019 SANS report on OT/ ICS cyber security rate threats high or critical, this number has dropped by almost 20% since their 2017 survey.

A more sobering indication of industry cyber complacency comes from ARC Advisory Group’s Larry Obrien reporting on data shared at this year’s Honeywell User Group. Of more than 1700 Honeywell upgrade projects completed in 2017 and 2018, globally, only 12 % specified any cyber security products or services. And of the 1,400 upgrades planned for this year, only 8% specified cybersecurity product or services scope.

Assuming they are implementing automation systems that will likely last for 15 or 20 years, this means that a significant number of automation users will be going forward with no cyber security – or with cyber security that will be bolted on after the fact, at a high cost and uncertain effectiveness.

“There are missed opportunities to enhance cybersecurity with the daily management of change (MoC) processes, product selection, RFP specification, design & engineering, configuration, and both planned and unplanned outages. A control systems upgrade provides the most cost-effective and easiest opportunity to make significant cybersecurity improvements,” writes O’Brien.

Bedrock Automation recognizes the if-it-ain’t-broke-don’t-fix-it type dilemma that most companies face when it comes to justifying cyber security expenses, which is why we build top-of-the-line security into every control system we make at no extra cost. And because we designed it that way from the ground up, we can also provide a more powerful, modern and open system than anyone else, at a much lower cost of ownership with cyber security built in.

As O’Brien implies, a control system migration without considering cyber security is a major missed opportunity.

For a related story on the importance IT/OT collaboration realizing benefits of digitalization see: When IT and OT Meet, What Happens to Cyber Security?