Barracuda found that 93% of organizations in the areas of IIoT/OT have experienced a failed security project.

smarthospital-iot-image.jpg
Image: Zyter, Inc

As companies look to take the next step with Industrial Internet of Things (IIoT) and operational technology (OT), a new study has revealed that the majority of them have failed security projects around these two types of technology. Barracuda Networks surveyed 800 senior IT managers, senior IT security managers and project managers as part of its “The State of Industrial Security in 2022” report, and found that a whopping 93% have suffered from failed security projects.

This can potentially make a huge difference when it comes to organizations remaining secure, as 75% of companies that have completed a security project have not experienced any impact at all from a major incident.

“In the current threat landscape, critical infrastructure is an attractive target for cybercriminals, but unfortunately IIoT/OT security projects often take a backseat to other security initiatives or fail due to cost or complexity, leaving organizations at risk,” said Tim Jefferson, SVP, Engineering for Data, Networks and Application Security at Barracuda. “Issues such as the lack of network segmentation and the number of organizations that aren’t requiring multi factor authentication (MFA) leave networks open to attack and require immediate attention.”

SEE: Hiring Kit: IoT developer (TechRepublic Premium)

Aspects of critical infrastructure are vulnerable

Critical infrastructure is under constant threat of attack, according to Barracuda, with businesses facing a number of challenges related to not only cybersecurity but also an increasingly hostile geopolitical environment. According to the study, 94% of organizations surveyed said they had experienced a security incident within the last year, and 89% are concerned about the effects that uneasy international relations the U.S. has with countries such as China or Russia may have on their respective enterprises.

Gartner just last month published a report detailing the eight cybersecurity predictions looking ahead, with threat actors having weaponized operational technology environments successfully to cause human casualties as one of the main concerns for organizations to be aware of in the coming years.

Because of this growing sense of cybersecurity risk in areas of IIoT/OT, companies know they need to increase their security awareness, but areas of manufacturing and healthcare still lag behind when considering security protocols. Barracuda reports that 50% in oil and gas sectors have completed projects, while only 24% in manufacturing and just 17% in healthcare have completed projects. This leaves key areas at risk, which could lead to Gartner’s prediction coming true by 2025.

“IIoT attacks go beyond the digital realm and can have real-world implications.” said Klaus Gheri, VP of Network Security at Barracuda. “As attacks continue to rise across industries, taking a proactive security approach when it comes to industrial security is critical for businesses to avoid being the next victim of an attack.”

How do critical infrastructure orgs patch security concerns?

One area that has come along slowly even with the adoption of IIoT/OT is lack of multi-factor authentication. Less than a fifth (18%) of organizations surveyed restrict network access and enforce MFA when it comes to remote access to OT networks. Even in areas such as energy, 47% still allow full access without the use of MFA. Widespread enactment of MFA could be the difference between a key sector of the country remaining vulnerable or potentially avoiding a disastrous attack with far-reaching consequences.

Other ways companies can prevent attacks are by implementing proactive security updates rather than reactive ones, offering better training for employees to ensure that updates can be applied by the organization itself and automating those processes so it is not having to be installed manually, avoiding potential confusion. If organizations can put these potential fixes into practice, especially when it comes to critical infrastructure, serious attacks leading to potential loss of revenue or even human life can be averted.