Nearly all of the 800 respondents to a Barracuda Network survey, 93%, said they've failed in security IIoT and OT projects. Pictured: A UV cleaning robot cleans the floor near the ticketing windows at Pittsburgh International Airport on May 7, 2020, in Pittsburgh, Pa. (Photo by Jeff Swensen/Getty Images)

Barracuda Networks on Tuesday released a survey of 800 security managers responsible for industrial internet of things (IIoT) and operational technology (OT) that found 93% of organizations had failed in their IIoT/OT projects.

On the plus side, for the small percentage of organizations with completed IIoT/OT security projects, 75% experienced no impact at all from a major incident.

But that was some rare good news from this report: some 94% of organizations surveyed have experienced a security incident in the last year. And only 18% of companies surveyed restrict network access and enforce multi-factor authentication when it comes to remote access to OT networks.

Critical verticals like energy — 47% — allow full remote access without MFA for external users. And less than half of organizations surveyed, 49%, can handle applying security updates themselves. Overall, manufacturing and healthcare are lagging when it comes to implanting security projects.

While the number of failed IoT/OT security projects is alarming at 93%, there’s good news in that attempts are being made and learned from to improve IoT/OT security, said Bud Broomhead, chief executive officer at Viakoo. Broomhead said as highlighted in the Barracuda study, many organizations face implementation challenges, including basic cyber hygiene — even if failed, projects help to show where an organization's IoT/OT security barriers exist. 

“There’s a large divide between IT security and IIoT/OT security, and it will take both cycles of learning by doing and deploying new technologies to close that gap,” Broomhead said. “Given the significant differences between IT security and IIoT/OT security, organizations will have to learn from these efforts to become more mature in how to approach IoT/OT security. “

Joseph Carson, chief security scientist and advisory CISO at Delinea, said OT systems used for managing the heavy industrial equipment common across these sectors often operate in a very different fashion to traditional IT. Carson said systems have often been designed with a lifespan of decades in mind, and are a poor fit with the fast-moving world of modern IT networks.

“Gaining centralized visibility and management of such a complex environment can be extremely challenging,” Carson said. “This limited view creates gaps that can be exploited by threat actors, enabling them to infiltrate the network and move between systems without being detected. The conflicting network architecture also means that standard security measures such as role-based access control and multi-factor authentication are close to impossible to implement without purpose-built tools. These issues elevate the potential threat of a nation-state actor infiltrating the system and causing serious disruption.”

Pan Kamal, head of product at BluBracket, said as the lines blur between infrastructure and applications, software-as-code has become a major target for sophisticated attackers. Kamal said OT systems built on this type of infrastructure are often susceptible to code-based attacks.

“Attackers have been successful in finding and leveraging secrets in code — unencrypted passwords being passed between code modules, API tokens, and credentials,” Kamal said. “Organizations that do not include application security testing and code risks as a part of their cybersecurity regimen will face intrusions based on stolen credentials, access to code that has inadvertently made it into the public repositories, and unauthorized access into code repositories resulting in code tampering and injection of malicious code.”