The world's most capable, rugged and secure
industrial control system...
Introducing Bedrock OSA® Remote
- Intrinsically-secure PLC and RTU control
- 10 or 20 channels of universal I/O
- Free IEC 61131-3 engineering software
- -40ºC to +80ºC temperature range
- Rugged, all-metal case 5.4 in x 8.9 in x 2.3 in
Signs of Hope in Cyber Security, But …
August 27, 2020
Accenture has published its 2020 Cybersecurity Resilience Report based on its survey of 4,644 executives in 24 industries. Although few if any of these executives are likely involved much in operational technology (OT) security, the results do contain some valuable lessons for OT. About one-fifth of the respondents believed they had improved their ability to recognize, respond and recover from cyberattacks at traditional access points, they were also concerned that attackers would find other attack vectors — such as their supply chains. They were also reporting rising cyber costs and thus concerned that their success was not sustainable.
The researchers identify two categories of respondents, leaders, and non-leaders. The leaders, 17 percent of the group, were those who reported having stopped more attacks, discovered and fixed breaches faster, and lowered breach impact. The percentage of leaders spending more than 20 percent of their budgets on cyber security was more than double what it was three years ago. And they felt they were seeing a return on that investment. The total number of targeted cyberattacks dropped 11 percent, from 232 to 206 targeted attacks and the total number of security breaches dropped 27 percent.
Despite those positive numbers, however, there was concern that parts of the business were still exposed. Accenture reported that 40 percent of security breaches are now indirect, as threat actors target the weak links in the supply chain.
“Fully 83 percent of our respondents agreed that their organizations need to think beyond securing their enterprises and take steps to secure their ecosystems to be effective,” said the report authors.
There was also significant concern about rising cyber security costs. 60 percent of respondents reported cost increases on 17 key cyber security components over the last two years. The largest increases were in the cost of network security, threat detection and security monitoring. (Figure 1)
“…69 percent of our respondents said staying ahead of attackers is a constant battle and the cost is unsustainable,” said the Accenture authors.
Lessons for OT
This cost increases impact both the leaders and non-leaders. The leaders, the 17 percent who did feel they were getting something for their money, were concerned that they were vulnerable in the supply chain and ecosystem and that they would not be able to afford to continue receiving that protection.
The non-leaders, the remaining 83 percent, were paying higher prices and getting less. They were subject to more security breaches, more impactful breaches, and taking more time to fix the problem. Whether this was because they were spending less on protection or that the protection they were implementing was less effective, it should raise warning flags for any investment in the bolt-on cyber security solutions shown in figure one.
We also note that “OT-related” security shows up at position 12 in the cost-increase scale, but we must point out that virtually all current products marketed for OT cyber security also fall into one of the other categories called out on the list. There is no mention of control system cyber security per se, but if the industry does take it seriously, we shouldn’t ever see it on Accenture’s rising cost list because it should be built-in to the control electronics at no additional cost. That is a true sign of hope.
For more on the benefits of built-in control system cyber security go here.
September 28, 2020
“Government intelligence confirms the water and wastewater sector is under a direct threat as part of a foreign government’s multistage […]
August 27, 2020
The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) have urged critical infrastructure facilities to take […]
August 27, 2020
A second bit of ransomware code designed to target industrial control systems has emerged. Similar to the Megacortex malware that […]