Organisations demonstrate strong appetite for digital transformation but misplaced confidence could be putting them at risk
Over two thirds (68%) of UK chemical organisations have detected cyber attacks on their Operational Technology (OT) or Industrial Control Systems (ICS) in the last 12 months, with 85% of these encountering at least one successful attack, according to new research from independent cyber security services company Bridewell.
These findings come despite 82% of chemical organisations saying they are confident that their OT systems are protected from threats, highlighting a degree of misplaced confidence in CNI cyber security in the sector.
The research, which surveyed 250 UK IT decision makers in the aviation, chemical, energy, transport, and water sectors, found that the chemical sector is the second most confident when it comes to cyber security. However, organisations facing increasing risks posed by ageing legacy infrastructure that is becoming increasingly connected.
The majority (70%) of chemical organisations rely on OT systems that are between 6-20 years old, with nearly a third (30%) between 11-20 years old. Systems are also increasingly accessible with 74% confirming that their OT / ICS environments are accessible from corporate networks. Less than a third (30%) say systems are not currently accessible from the Internet, and of those, 53% plan to make them accessible in the future, potentially widening the attack surface and introducing new threats.
“The research highlights some nuances between how some organisations in the chemical sector perceive their cyber security posture versus reality” says Scott Nicholson, Co-CEO at Bridewell. “Security vulnerabilities, whilst challenging to remediate within some organisations, could have serious implications, not just in terms of substantial monetary fines but also risks to public safety and even loss of life, so organisations simply cannot afford to be complacent.”
Covid-19 has also intensified cyber threats with over half (53%) of UK chemical organisations experiencing increased attacks since the pandemic began. Yet nearly a third (32%) have reduced cyber security budgets in response. This is putting increasing pressure on IT and security teams with 74% agreeing they have felt an increasing pressure to improve cyber security controls for the OT / ICS environment in the last 12 months.
Cyber strategy and compliance could also be improved, with less than two thirds of organisations (60%) saying physical and cyber security strategies are aligned and nearly a quarter (24%) admitting to not fully understanding the requirements of the NIS Directive. Despite this, 98% of organisations are carrying out some form of security assurance activities, but only a third (36%) carry out penetration testing and less than a third (30%) conduct red, blue or purple team exercises.
This could be due to increased workloads, with an increase in responsibilities and duties cited as the top challenge facing cyber security teams today (cited by 28% of respondents), followed by budget constraints (24%). Skills are also a worry as while 72% believe they have the right skills in place to maintain and secure their OT environment, 76% agree the UK’s CNI industry will be impacted by a critical cyber security skills shortage in the next 3 to 5 years.
The research shows that the chemical sector has the weakest understanding of the NIS Directive and was the least prepared for the NIS assessments. While steps are being taken to improve cyber security in the sector, more needs to be done to strengthen defences. Organisations, government and industry experts need to continue to work cohesively to plug any gaps and mitigate risks before it’s too late.