Despite some progress on OT/ICS security, over a third of organizations still don't know if their company was compromised, according to a new survey by Nozomi Networks and the SANS Institute. (Photo by Brandon Bell/Getty Images)

A Nozomi Networks report conducted in tandem with the SANS Institute found that despite some progress on OT/ICS security, some 35% of organizations still don’t know whether their company had been compromised, and that attacks on engineering workstations doubled in the last 12 months.

The report, released Friday, found that ransomware and financially motivated attacks topped the list of threat vectors at 39.7%, followed by nation-state attacks at 38.8%. Non-ransomware criminal attacks came in third, cited by 32.1%, followed closely by hardware/software supply chain risk at 3.4%.

While 62% of respondents rated the risk to their OT environment as high or severe, that figure is down from 69.8% in 2021.

“While threat actors are honing their ICS skills, the specialized technologies and frameworks for a solid defense are available,” said Andrea Carcano, co-founder and CPO at Nozomi Network. “The survey found that more organizations are proactively using them. Still, there’s work to be done. We encourage others to take steps now to minimize risk and maximize resilience.”

Ariel Evans, chief executive officer at RiskQ, said most companies don’t have a digital asset inventory, which not only prevents them from being compliant with regulatory requirements — it leaves them unable to protect their assets. “You can’t protect what you can’t see,” said Evans.

The main driver for the lack of OT/ICS awareness relates back to the nature of how OT networks have traditionally been managed and operated, explained Jason Hicks, executive advisor and Field CISO at Coalfire. Hicks said historically they were disconnected from the firm’s other networks and the internet. Tasks like software updates typically come into those environments via thumb drives.

“Also, many of the devices are running specialized operating systems, that don't tolerate being scanned for vulnerabilities, and don't support running your typical endpoint protection suite,” Hicks said. “Imagine if your vulnerability scan shut down power to a substation, for example. Due to all these factors, it's not common for the operators to have the kind of security-focused visibility tools we are used to having on corporate networks.”

Joseph Carson, chief security scientist and Advisory CISO at Delinea, added that OT systems have often been designed with a lifespan of decades in mind, and are a poor fit with the fast-moving world of modern IT networks. Carson said gaining centralized visibility and management of such a complex environment can be extremely challenging.

“This limited view creates gaps that can be exploited by threat actors, enabling them to infiltrate the network and move between systems without being detected,” Carson said. “The conflicting network architecture also means that standard security measures such as role-based access control and multi-factor authentication are close to impossible to implement without purpose-built tools. These issues elevate the potential threat of a nation-state actor infiltrating the system and causing serious disruption.”