The digital transformation has multiplied the possibilities of development and economic growth. In companies and among cybercriminals. Advanced technologies allow businesses to evolve towards more efficient environments, but they can also open loopholes to undesirable 'visits' in organizations and put their activity at risk. All companies are susceptible to being cyberattacked, but their level of exposure is not the same nor do they have the same degree of protection.
The digital transformation has also favored the opening of OT environments, connecting their assets to the IT world, the internet or the cloud, to, above all, improve their productivity and efficiency. This combination brings with it numerous benefits, but it also leaves visible vulnerabilities and increases cybersecurity risk levels. To address them and guarantee the continuity of activity, protect critical business information and reinforce security in all elements and stages of its value chain, it is necessary to apply specific measures appropriate to these environments. And even more so in critical sectors for society, where it is essential that production does not stop at any time due to the impact it would have at all levels: economic, reputational, cessation of activity or even loss of human life. .
Digitalization has made it possible for the energy sector to improve the use of critical infrastructure and the supply of essential services and, at the same time, has accentuated its vulnerabilities. In the industry and consumer sector, the IT area is usually more cyber-protected, but the situation is now more complex in many OT environments as the attack surface expands with the exposure of own and insecure systems, complex environments and with little visibility for the organization.
The uniqueness of both sectors means that their strategies consider OT cybersecurity in a very different way. Thus, 84% of energy companies already include its relevance and development in their strategic plans and 46% of industrial companies consider doing so in the near future (2023-2025). The data comes from the SIA 2023 OT Cybersecurity Barometer, which has just been made public at an open event. According to Roberto Espina, CEO of SIA –Indra's cybersecurity company–, “in sectors as critical and with assets as important as energy and industry and consumption, operational cybersecurity is strategic due to its degree of exposure and impact to cyber attacks. ”.
The different level of cybersecurity maturity detected in both sectors responds to different variables. For example, regulation. According to the report, prepared by SIA experts in collaboration with Minsait (Indra) based on interviews with energy companies and the industry and consumer sector in Spain and Portugal, the former have taken the lead because they manage critical infrastructure and essential services to citizens. and, therefore, are subject to greater control.
In this sense, in industry and consumption there are sectors such as the automotive industry that exert a driving effect among their collaborators by entailing demands for standards and certifications, but they still have a way to go.
On the other hand, the involvement of senior management in the OT cybersecurity strategy is key to more effective protection of the organization. In the case of energy companies, it is greater and still incipient in the industrial and consumer sectors. Furthermore, in the latter, only 15% have a CISO – responsible for security – specific for operational environments.
Another aspect analyzed in the report is identity management. 38% of companies in the industrial and consumer sector admit that they do not have identity and access management to the OT world separate and independent from the IT world and 85% recognize that, even knowing that the management of privileged accounts is critical from From the security point of view, it is still a pending issue. On the other hand, both sectors have widespread use of double factor authentication (MFA) as a key element for advanced protection in this area.
As Roberto Espina has explained, “zero risk does not exist; It is an improvement process in which we must invest continuously to minimize the economic impact, reputation or cessation of activity in the event of any cyber incident and to achieve the goal of becoming a protected organization in operational environments.
With the premise that production cannot stop at any time in these environments, an adequate cybersecurity strategy in this area must begin with an identification and inventory of assets, detailed analysis of threats and vulnerabilities, continue with the execution of a diagnosis on the state of critical systems and risks, to then structure a plan of initiatives that cover the five phases of the protection cycle: identify, protect, detect, respond and recover.
