IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Vulnerable infrastructure operators are 'switching off' security to avoid downtime

Out-of-date systems are vulnerable to cyber attacks and lack purpose-built products to adequately protect them

Roughly a third of operational technology (OT) businesses have resorted to switching off their cyber security protections due to the impact on normal processes and overall productivity, fresh research has found.

OT firms are consistently encountering a loss of productivity as a result of having security protections running, according to cyber security firm Kaspersky, having surveyed operators of industrial infrastructure across 17 countries and every continent. Many firms have, therefore, in the past simply switched off these protections in order to get by.

One of the main blockers to achieving adequate security in OT environments, according to respondents, is the lack of purpose-built security solutions on the market.

Nearly half of those surveyed (40%) said their current security tools were not compatible with their automation systems and a similar proportion (38%) said they could clearly remember cases where security systems have adversely affected the company’s operations.

This incompatibility can cause disruption or interruption of key processes, leading to operational downtime. Kaspersky said OT businesses are struggling to find a balance between security and operational sustainability, given downtime can potentially cost up to $260,000 (£200,000) an hour, according to GE Digital’s figures.

One of the key reasons why OT firms are unable to source purpose-built security solutions is that many of their industrial control systems (ICS) are old and can no longer be upgraded, with around one-in-six endpoints proving impossible to upgrade.

“Our largest issue with our OT and ICS is that the equipment we own isn’t upgradable beyond its current level,” said one manufacturing firm based in the US. “The manufacturers don’t offer any type of upgrade to our current systems. We are stuck on outdated platforms that are, and remain, vulnerable.”

Related Resource

How a platform approach to security monitoring initiatives adds value

Integration, orchestration, analytics, automation, and the need for speed

Whitepaper cover with title on burgundy square graphicFree Download

Kaspersky also revealed that the OT businesses least affected by cyber security incidents had a considerably higher rate of installing industry-specific security tools compared to those who suffered the most attacks.

“In the past, asset owners reasonably assumed that the protection and automation systems responsible for the core business processes of an industrial organisation would be left undisturbed throughout the equipment’s lifetime, lasting decades – with the possible exception of occasional settings changes,” said Kirill Naboyshchikov, business development manager at Kaspersky Industrial CyberSecurity.

“However, with the introduction of next-generation digital automation systems, there are many instances where this may no longer be the case.”

There are a number of workarounds to compatibility issues that Kaspersky recommends, such as segmenting networks, performing security audits, and conducting penetration testing exercises to unearth security gaps.

OT and ICS have become prime targets for cyber criminals in recent years. Ageing and outdated systems that can’t run the best security software, combined with the supply chain necessity that these companies continue to deliver their services, means they have become targets for ransomware attackers specifically, cine the pressure to pay is so high.

That was exactly the case with Colonial Pipeline which was targeted by DarkSide ransomware last year, infamously leading to gasoline shortages in the US. The company eventually paid the ransom since the supply chain demand was too high to stall any longer.

It’s a common theme, too - research published at the end of 2021 revealed that 83% of critical infrastructure organisations had suffered cyber attacks within the previous three years.

New ways of breaking into OT and ICS are also being devised at a rapid rate. Research from Dragos, published earlier this year, showed the number of security vulnerabilities targeting critical infrastructure doubled in 2021, with one-in-four having no available patches.

Featured Resources

The COO's pocket guide to enterprise-wide intelligent automation

Automating more cross-enterprise and expert work for a better value stream for customers

Free Download

Introducing IBM Security QRadar XDR

A comprehensive open solution in a crowded and confusing space

Free Download

2021 Gartner critical capabilities for data integration tools

How to identify the right tool in support of your data management solutions

Free Download

Unified endpoint management solutions 2021-22

Analysing the UEM landscape

Free Download

Most Popular

How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

29 Jul 2022
Samsung proposes 11 Texas semiconductor plants worth $191 billion
Hardware

Samsung proposes 11 Texas semiconductor plants worth $191 billion

21 Jul 2022
Should you take your password manager off the internet?
Sponsored

Should you take your password manager off the internet?

28 Jul 2022