Vulnerable infrastructure operators are 'switching off' security to avoid downtime
Out-of-date systems are vulnerable to cyber attacks and lack purpose-built products to adequately protect them
Roughly a third of operational technology (OT) businesses have resorted to switching off their cyber security protections due to the impact on normal processes and overall productivity, fresh research has found.
OT firms are consistently encountering a loss of productivity as a result of having security protections running, according to cyber security firm Kaspersky, having surveyed operators of industrial infrastructure across 17 countries and every continent. Many firms have, therefore, in the past simply switched off these protections in order to get by.
One of the main blockers to achieving adequate security in OT environments, according to respondents, is the lack of purpose-built security solutions on the market.
Nearly half of those surveyed (40%) said their current security tools were not compatible with their automation systems and a similar proportion (38%) said they could clearly remember cases where security systems have adversely affected the company’s operations.
This incompatibility can cause disruption or interruption of key processes, leading to operational downtime. Kaspersky said OT businesses are struggling to find a balance between security and operational sustainability, given downtime can potentially cost up to $260,000 (£200,000) an hour, according to GE Digital’s figures.
One of the key reasons why OT firms are unable to source purpose-built security solutions is that many of their industrial control systems (ICS) are old and can no longer be upgraded, with around one-in-six endpoints proving impossible to upgrade.
“Our largest issue with our OT and ICS is that the equipment we own isn’t upgradable beyond its current level,” said one manufacturing firm based in the US. “The manufacturers don’t offer any type of upgrade to our current systems. We are stuck on outdated platforms that are, and remain, vulnerable.”
How a platform approach to security monitoring initiatives adds value
Integration, orchestration, analytics, automation, and the need for speedFree Download
Kaspersky also revealed that the OT businesses least affected by cyber security incidents had a considerably higher rate of installing industry-specific security tools compared to those who suffered the most attacks.
“In the past, asset owners reasonably assumed that the protection and automation systems responsible for the core business processes of an industrial organisation would be left undisturbed throughout the equipment’s lifetime, lasting decades – with the possible exception of occasional settings changes,” said Kirill Naboyshchikov, business development manager at Kaspersky Industrial CyberSecurity.
“However, with the introduction of next-generation digital automation systems, there are many instances where this may no longer be the case.”
There are a number of workarounds to compatibility issues that Kaspersky recommends, such as segmenting networks, performing security audits, and conducting penetration testing exercises to unearth security gaps.
OT and ICS have become prime targets for cyber criminals in recent years. Ageing and outdated systems that can’t run the best security software, combined with the supply chain necessity that these companies continue to deliver their services, means they have become targets for ransomware attackers specifically, cine the pressure to pay is so high.
That was exactly the case with Colonial Pipeline which was targeted by DarkSide ransomware last year, infamously leading to gasoline shortages in the US. The company eventually paid the ransom since the supply chain demand was too high to stall any longer.
It’s a common theme, too - research published at the end of 2021 revealed that 83% of critical infrastructure organisations had suffered cyber attacks within the previous three years.
New ways of breaking into OT and ICS are also being devised at a rapid rate. Research from Dragos, published earlier this year, showed the number of security vulnerabilities targeting critical infrastructure doubled in 2021, with one-in-four having no available patches.
Activation playbook: Deliver data that powers impactful, game-changing campaigns
Bringing together data and technology to drive better business outcomesFree Download
In unpredictable times, a data strategy is key
Data processes are crucial to guide decisions and drive business growthFree Download
Achieving resiliency with Everything-as-a-Service (XAAS)
Transforming the enterprise IT landscapeFree Download
What is contextual analytics?
Creating more customer value in HR software applicationsFree Download