Canadian operational technology security insights

45%

of respondents say OT cybersecurity risks are perceived by their board of directors to be the highest business risks

54%

of respondents report their organization has experienced an OT cybersecurity incident in the last three years

71%

of respondents indicate their organization has increased its OT cybersecurity budget in the past year

In today’s world, the security of operational technology (OT) systems is increasingly on the radar of executives.

Operational technology can be defined most simply as the hardware and software used to control industrial processes and infrastructure. For the purposes of this report, OT includes both traditional operational technologies and the industrial internet of things. OT systems lie at the heart of asset-intensive industries like electric power generation and distribution, utilities, manufacturing, logistics and transportation. As such, OT systems are critical targets—both in terms of the payoff for criminals when breached and in terms of consequences for business operations, public safety and national security.

Why is OT security becoming such a concern now? In the last year, we’ve seen an increase in the sheer volume of attacks on OT systems, including several very high-profile incidents. Also, the Canadian federal government has recognized the importance of regulating cyber risk with its new draft legislation that aims to protect critical cyber systems and infrastructure. But at the same time as security threats are increasing, OT systems are becoming increasingly digitized and, therefore, vulnerable. OT security isn’t just about managing risk—it will be a key enabler for achieving competitive advantage in the years to come.

So how are Canadian organizations responding to these increasing threats and positioning their organizations for future success? In spring 2022, we spoke to 200 business leaders from approximately 175 different organizations across the country in an effort to understand levels of OT cybersecurity readiness. More than eight in ten (83%) of these respondents are the primary decision-maker in OT cybersecurity matters at their organization.

Explore the key findings of our survey to understand how your organization compares to your peers and learn about our recommended next steps.

Building a benchmark: Organizations’ perceptions of the OT security risk landscape

Key takeaway

Organizational leaders must understand the gravity of decisions about how to keep OT environments secure. Respondents report having experienced both operational and cyber-kinetic consequences of OT security breaches at their organizations.

While OT cyber risks have long been present, we believe general awareness of OT risk is on the rise, especially at the leadership level. OT cybersecurity risks are perceived as either the highest business risk or as a high technology risk by the boards of directors of 90% of respondents to our survey. This is in line with survey findings elsewhere: in our recent 25th CEO Survey—Canadian insights, the highest number of Canadian CEOs (53%) reported being extremely or very concerned about cyber risks in the coming year.

OT cybersecurity risks are…

^{Question: Which of the following best describes how your board of directors perceives OT cybersecurity risks?}

…perceived as the highest business risks by the board of directors

…perceived as high technology risks by the board of directors

…considered only as one subset of technology and operational risks and aren't discussed/reported on to the board of directors as a separate category

^{Percentages don't add up to 100 due to rounding.}

In addition to several high-profile industry incidents, this increase in awareness has also likely been driven by an increase in OT incidents—and negative effects—experienced by respondents.

54% of respondents report they’ve experienced an OT cybersecurity incident in the last three years

When asked about the consequences their organization experienced due to security incidents associated with OT systems, respondents identified significant operational impacts. The highest number of respondents identified loss of proprietary or confidential information (23%) and damage to product/service quality (20%) as consequences experienced by their organization.

However, cyber-kinetic risks may be a significant factor in elevating awareness of OT risk. A perhaps startling 7% of respondents selected injury or death of employees as a negative consequence of cyber attacks experienced by their organization, and 6% selected injury or death of members of the general public.

When asked about their top concerns about future OT security incidents, the highest number of respondents (38%) selected loss of customer confidence or damage to company brand/reputation. Cyber events affecting lives, well-being and/or the environment could prove to be very reputationally damaging, resulting in a serious breakdown of trust with both the public and regulators.

Top concerns in OT cybersecurity incidents

^{Question: Of these consequences that could result from an OT cybersecurity incident, what are your top three future concerns for your organization?}

^{Percentages may not add up to the displayed total due to rounding.}

Cost of incident response and mitigation was ranked the most concerning consequence that could result from an OT cybersecurity incident by the highest share of respondents (11%)

All of these risks are only set to increase as organizations further digitize their OT systems. But there’s no single trend that emerges when we look at respondents’ thoughts about which technical and workforce trends could lead to the highest increase in OT cyber risks.

Taken as a whole, risks related to the hardware and software supply chain and third parties make up the most impactful trend increasing OT security risks. And unsurprisingly, given the events of the last few years, another area of concern is remote access for vendors (24%) and employees (23%), as well as lack of skills on the market (20%) and employee attrition (17%). Overall though, concerns about how current trends will affect cybersecurity risks are diverse and widespread, with adoption of AI and machine-learning solutions and adoption of cloud computing and SaaS solutions appearing high on the list.

Trends leading to OT cybersecurity risks

^{Question: Which technical and workforce trends do you believe lead to the highest increase in OT cyber risks, either currently or in the future?}

^{Percentages may not add up to the displayed total due to rounding.}

Understanding the barriers to effective OT security

Key takeaway

Leaders must be careful about relying too heavily on IT personnel and policies to fill existing and future OT security gaps. As the OT security environment becomes even more technically demanding, challenges to OT/IT collaboration will only multiply.

Given the existing risk landscape, what are the challenges facing respondents looking to secure OT systems at their organizations? The first is a lack of clear definition between IT and OT security. We see this blurring of the lines when we look at responses to questions about organizational responsibility for OT security.

While responses to the question about which role is ultimately accountable for OT cybersecurity risk management in their organization were varied, the highest share of respondents (22%) selected chief information security officer (CISO). But interestingly, the highest share of respondents (27%) report the day-to-day management of OT cybersecurity controls lies with the department that’s the primary user of OT technologies. The CISO role traditionally oversees IT cybersecurity and not OT, so giving the CISO OT ultimate security responsibilities could create tension within organizations.

We see this lack of clarity at the policy level as well: 84% of respondents use their IT security policy for OT security. And a perhaps surprising 15% have no formal OT security policy documentation in place at all.

While it will be crucial for IT and OT groups to collaborate to effectively secure the OT environment, there are technical differences that will limit the application of established IT controls on OT systems. These technical differences will only become more complex with the growing adoption of cellular connectivity. More than three-quarters (78%) of respondents already use some cellular connectivity for their OT systems, with 60% using private networks.

97% of respondents report their organization has plans to use cellular connectivity for OT

As we move into the future, we’ll continue to see a need for talent with highly specialized and technical skill sets to understand converged IT/OT systems and risks. The good news is that our respondents seem to understand this. When asked about typical barriers to OT cybersecurity implementation, top responses were lack of OT cybersecurity expertise (45%) and lack of a formal budget for OT cybersecurity (44%), with lack of expertise being the barrier most likely to be ranked first (23%).

Typical barriers to OT cybersecurity implementation

^{Question: What are the typical barriers/delays in the implementation of OT cybersecurity initiatives in your organization?}

^{Percentages may not add up to the displayed total due to rounding.}

Organizations’ responses to changing technology in the OT environment

Key takeaway

Leaders must start thinking creatively about how to fill the current OT security skills shortage. A majority of respondents indicate they've allocated budget to OT cybersecurity efforts in the past year, with improvements being made on three fronts: people, processes and technology.

What steps are organizations taking to overcome these barriers and protect against looming threats? Slightly more than seven in ten respondents (71%) indicate their organization has increased its OT cybersecurity budget in the past year, and much of this budget is being spent on talent.

When asked to identify their highest investment priorities in the next year, respondents point first to the need to upskill IT information security and cybersecurity staff in OT-specific contexts (26%). This is followed by the upskilling of engineering and operations staff in cybersecurity (22%) and hiring OT cybersecurity expertise (21%).

Unsurprisingly, given the current difficulty many organizations are experiencing retaining talent, especially talent with specialized training, we also see some interest among respondents in outsourcing. The highest share of respondents (30%) express interest in third-party support and expertise about security issues, data leakage and threats.

16% of respondents say managed security services is one of their organization’s top OT cybersecurity investment priorities in the next year

Investment priorities for OT cybersecurity

^{Question: What are your top three investment priorities for OT cybersecurity in the next 12 months?}

^{Percentages may not add up to the displayed total due to rounding.}

When it comes to process improvements, we see 16% of respondents focused on OT-specific cyber risk governance improvements. With regard to technology updates, which in many cases will also require process changes, vulnerability management solutions for OT (21%) and asset management solutions for OT and asset management integration with other cybersecurity controls (18%) top the list.

It bears mentioning, though, that both process and technology updates will rely on skilled talent to implement and oversee those changes and solutions, especially in today’s continuously changing security environment.

Three next steps for organizations

As OT systems become increasingly digitized amid ever-increasing risk, it will be crucial for organizations to protect their people and critical infrastructure, as well as ensure operational resilience. We’ve outlined three key steps organizational leaders must consider.

The first step to building your OT security strategy and effectively allocating your cybersecurity budget is defining your approach to OT security risk assessment and management. Ongoing delivery of your operational mission will depend on taking a risk-based approach to identifying, evaluating and prioritizing cyber threats to your organization. Developing internal policies, procedures and responsibilities for effective IT-OT cyber risk governance will improve the allocation of cybersecurity budget and crisis response, as well as, ultimately, reduce your cyber risk exposure.

But a full understanding of OT cyber risks can only be achieved through close collaboration between IT and OT teams. IT teams can better understand categories of cyber threats to IT systems and communications as well as how they might reach OT environments. OT teams can properly assess the impacts to underlying physical processes and the organization by considering the risk abatement provided by safety-instrumented systems or manual workarounds.

Perform an OT devices discovery to identify all your OT assets and import them into an asset management solution. IT and OT visibility solutions rarely intersect, so your approach has to include both sets of tools to discover assets on your networks. No automated asset discovery tool will identify all your OT assets—a comprehensive approach has to include an element of manually piecing together information from multiple sources.

One of the biggest challenges many organizations are struggling with is limited visibility of the IT-OT attack surface. Without a comprehensive OT assets inventory, unknown and unchecked security issues can abound.

Consider OT vulnerability assessment and management to help you identify vulnerabilities at a point in time and develop mitigation plans to protect your environment. This process should also institutionalize a regular and ongoing vulnerability assessment and management approach that will always help you tackle your highest risks first.

Implement and follow a set of widely endorsed cyber best practices and cybersecurity controls to maintain a basic level of security within your OT environment. Mitigate risks to your organization by maintaining good cyber hygiene.

It’s also worthwhile to consider more sophisticated solutions. OT-specific monitoring and detection solutions and in-house or outsourced OT security operations centres can help you quickly detect and contain threats to your OT environment before you experience major impacts. OT-specific privileged access management, as well as identity and access management processes and solutions, can help you control access to your OT and OT-connected systems.

Develop an OT-specific security incident response that will prepare your organization to quickly contain and eradicate threats to your OT environment. Keep in mind: OT incident response is more complex than and different from IT incident response, and it involves more parties.