April 6, 2020
The International Society of Automation (ISA) recently served as the expert partner for an independent report from Newsweek Vantage on cyber risks to critical infrastructure.
The report, titled “Weathering the Perfect Storm: Securing the Cyber-Physical Systems of Critical Infrastructure,” surveyed 415 executives at critical infrastructure organizations to learn whether they are taking a holistic approach to security for operations technology (OT) and information technology (IT). Among other takeaways, the survey found that a holistic approach is a priority for most—and that more than a third of respondents said a cyber breach was the motivating factor.
ISA is the industry expert on standards for automation cybersecurity for OT systems. The ISA/IEC 62443 Series of Standards is the world’s only consensus-based series of standards on automation cybersecurity.
“We’re proud to provide guidance as an expert partner with Newsweek Vantage on this independent report,” said Mary Ramsey, ISA executive director. “The security of critical infrastructure is complex by nature, and we believe research like this is an important part of understanding where the industry can improve as a whole.”
Other key findings from the report include:
- – IT and OT still don’t play well together at many organizations, despite years of effort. Nearly a third of respondents said the primary obstacle is cultural—in other words, that employees are resistant to change.
- – Nearly every executive surveyed said their organization had experienced a security breach within the last year. Almost two-thirds said IT systems were the source of vulnerability leading to at least one of their incidents. A third also attributed their vulnerability to a lack of IT/OT integration, and a quarter added that a lack of secure physical access controls contributed to system vulnerabilities as well.
- – Most organizations are at least partway along the path to IT/OT convergence. 68 percent of respondents said their organizations have integrated some of their OT, IT, and physical systems, and are still working on others. Far fewer—20 percent—have already integrated everything, and fewer still—only 11 percent—have not integrated anything.
Eric Cosman, a consulting engineer and the 2020 ISA president, as well as Steve Mustard, an independent consultant and the incoming 2021 ISA president, also contributed to the report as subject-matter experts.
“It was a privilege to represent ISA and the automation community in providing input to the Newsweek Vantage report,” Cosman said. “Vehicles such as this provide us with an opportunity to reach a much broader audience and raise the awareness of the risks faced by our critical infrastructure. Asset owners must take the time to fully understand the consequence component of this risk and plan their response accordingly using standards, practices, and other resources available to them.”
“The Newsweek Vantage report is the end product of an important piece of research, of which I am very proud to have been a part,” Mustard says. “ISA has long understood the risks to critical infrastructure from cybersecurity incidents, and having the opportunity to be part of this work has allowed us to share our message much further. Although the report shows we still have a long way to go before industry fully embraces the challenge, it provides clear evidence of the need to do so.”
Improving automation cybersecurity across all industries is a central part of ISA’s mission. It created the ISA Global Cybersecurity Alliance (isa.org/ISAGCA) to advance cybersecurity readiness and awareness in manufacturing and critical infrastructure facilities and processes. It also offers a suite of automation cybersecurity training, including certificate programs.
The full Newsweek Vantage report is available for download here.