INTRODUCTION
The Critical Infrastructure sectors are facing a perfect storm in cybersecurity. Operational technology (OT) organizations are challenged with growing vulnerabilities, new and existing cybersecurity gaps, an expanding attack surface, and rising global threats.
Well-resourced, sophisticated actors such as ransomware gangs and nation-state hackers have Critical Infrastructure organizations in their sights. In 2021, 83% of surveyed Critical Infrastructure organizations said they experienced cybersecurity breaches1. As attacks continue to escalate and Critical Infrastructure weaknesses remain unmitigated, The Big Shutdown — a large-scale disaster with broad, harmful implications — looms closer to reality. Critical Infrastructure organizations can no longer wait on the sidelines, underprepared.
To understand the state of Critical Infrastructure cybersecurity and gain insights into organizations’ preparedness and best practices, Rockwell Automation commissioned ISMG to survey IT and cybersecurity leaders across multiple Critical Infrastructure industries. This report presents our findings, along with lessons learned and recommendations.
We’ve organized this report into five core themes aligning with the NIST Cybersecurity Framework (Identify, Protect, Detect, Respond and Recover). This framework is also used by Rockwell Automation as a fundamental roadmap for assessing and strengthening Critical Infrastructure cybersecurity.
EXECUTIVE SUMMARY
Threat actors who want to wreak havoc or get fast return on investment have found Critical Infrastructure organizations an appealing target. Ransomware gangs, for instance, often target utilities, energy, oil and gas companies. They are the most likely among all sectors to pay ransom2 because they can’t risk any downtime.
The complexities of the IT and OT environment also make it tougher for these organizations to recover, and the harm of shutdowns can be immense, including downtime, financial losses and threats to public safety and well-being.
The ISMG survey shows that Critical Infrastructure organizations are moving in the right direction. They are taking steps to improve cybersecurity preparedness and resiliency. Yet the survey also shows progress is slow compared to the urgency. Many are struggling to overcome hurdles such as budget and talent shortages, lack of management prioritization, and lack of insight about how to best shore up defenses now.
The majority are missing or are going much too slowly on fundamental steps like inventory assessments, network segmentation and threat monitoring. Consequently, widespread vulnerabilities across Critical Infrastructure persist.
