Unmanaged third-party access threatens OT environments – Help Net Security
Many industrial organizations lack the resources, expertise, and collaborative processes to effectively mitigate threats and ensure secure access to operational technology (OT) systems, according to Cyolo.
Ensuring secure access to OT environments is about more than just cybersecurity. These environments contain highly sensitive systems and critical infrastructure responsible for keeping manufacturing lines running, water and electricity flowing, and performing other tasks vital to the smooth functioning of our communities.
“Our world has become increasingly interconnected, and the findings of this report highlight the vital need for organizations to reevaluate and enhance their strategies for ensuring secure access into OT environments,” said Larry Ponemon, Chairman and Founder of the Ponemon Institute.
OT systems were historically isolated for security reasons but are now facing increased connectivity to IT networks and the internet (sometimes called IT/OT convergence). At the same time, more third-party vendors and contractors are being given remote access to OT environments. These shifts introduce serious new risks that can leave organizations exposed to safety and security threats if access and connectivity are not properly controlled.
Lack of communication between IT and OT teams
73% of organizations permit third-party access to OT environments, with an average of 77 third parties per organization granted such access. Challenges to securing third-party access include preventing unauthorized access (44%), aligning IT and OT security priorities (43%), and giving users too much privileged access (35%).
73% lack an authoritative OT asset inventory, putting organizations at significant risk. 71% report that IT or IT and OT together are responsible for securing OT environments. However, collaboration and communication are lacking, with 37% reporting little or no collaboration, and 19% reporting that teams talk about OT security issues only when an incident occurs.
Reducing security risk is the top objective of companies pursuing IT/OT convergence (59%), and yet 33% of organizations not pursuing convergence cite security risk as a top factor for their decision.
49% of organizations have not reassessed the security and effectiveness of remote access tools adopted during the COVID-19 pandemic.
IT/OT integration faces substantial challenges
But despite the strong push toward convergence, substantial challenges remain when it comes to connecting IT and OT systems. Seven top challenges are faced by at least a quarter of organizations. These include lack of budget (42%), security risks (35%), siloed teams (32%), skills gap (31%), and technology integration (30%).
Organizations that operate OT environments face real and persistent obstacles when it comes to securing critical systems against unauthorized access and other cyberthreats. The isolation that once largely protected OT and industrial control systems (ICS) from such threats has given way to a new era of connectivity that promises greater productivity and security even while creating serious potential risks.
At the same time, organizations depend on the specialized skills and subject matter expertise of third-party vendors to help keep operations running, but connecting these users and their devices to OT environments without implementing the proper access controls also increases risk.
“We are at a crucial point in the evolution of OT security, and the need to secure access to critical systems from internal and external threats is more urgent than ever. The stakes are exceptionally high, as a breach could jeopardize not just data but also the functioning of critical infrastructure, risking the safety of workers and the environment,” said Joe O’Donnell, EVP of Corporate Development and GM of OT at Cyolo.
“This research reveals a pressing need for new approaches, especially in areas like third-party and privileged access, the security of legacy systems, and collaboration between IT and OT teams,” concluded O’Donnell.