The vast majority (86%) of critical national infrastructure (CNI) organizations in the UK have experienced cyber-attacks on their operational technology (OT) and industrial control systems (ICS) in the past 12 months, according to a new study by Bridewell Consulting.
Worryingly, more than nine in 10 (93%) of those that experienced attacks in this period admitted that at least one was successful.
The survey of 250 UK IT decision makers in the aviation, chemical, energy, transport and water sectors also found that a substantial proportion of organizations use legacy OT systems. A third (34%) rely on systems that are between 11-20 years old, while 79% use systems aged between six-20 years.
CNI organizations’ legacy infrastructure is also becoming increasingly connected, which is potentially widening the attack surface, with 84% confirming their OT/ICS environments are accessible from corporate networks. Additionally, just 42% of those surveyed said their OT/ICS systems are not currently accessible from the internet, and over half of those plan to make them accessible in the future.
The researchers also revealed that almost a third (32%) of CNI organizations have reduced their security budgets since the start of the COVID-19 pandemic, which has led to 85% of IT and security teams feeling growing pressure to improve cybersecurity controls for their OT/ICS environment.
Lack of skills and increasing responsibilities was another challenge outlined by IT decision makers (both cited by 23% of respondents), and 84% of CNI organizations believe they will be impacted by a critical cyber-skills shortage in the next three to five years.
Despite this troubling landscape, more than three-quarters (78%) of respondents expressed confidence that their OT systems are protected from cyber-threats.
Scott Nicholson, Co-CEO at Bridewell Consulting, commented: “The report highlights some nuances between how some CNI organizations perceive their cybersecurity posture versus reality. Security vulnerabilities, whilst challenging to remediate within some CNI organizations, could have serious implications, not just in terms of substantial monetary fines but also risks to public safety and even loss of life, so organizations simply cannot afford to be complacent.”