SOURCE: Original article here by Damon Kitney in The Australian.

Large companies operating in the mining, energy and utilities sectors are vulnerable to cyber attacks on their hardware and software used to control industrial processes because of their failure to actively test or upgrade their operational technology (OT) systems, according to a new survey.

Secolve, an OT-focused cybersecurity firm working closely with large organisations to help identify and address risks and threats, commissioned research of more than 2000 Australian risk, compliance and security specialists that found 78 per cent were concerned there would be an attack on their industrial systems in the next 12 months.

It also found just one-third of respondents with OT responsibilities said their business had implemented new OT technology in the past two years, and only 31 per cent used a third party to test their OT security. One in 10 businesses hadn’t undertaken any reviews or updates in the past two years.

Secolve’s founder and CEO Laith Shahin said businesses’ industrial control systems were often legacy systems built decades ago with no thought given to security. He claimed that if risk and security compliance specialists were not on top of OT security issues, company boards were likely unaware and not planning or budgeting for this major risk to their operations.

“Most organisations tend to avoid assessing the security of their industrial control systems because of the impact it can have on the business in terms of downtime or unavailability of critical systems. But an attack on an OT environment can cause the business catastrophic losses, not just financially but also through potential loss of life,’’ he said.

OT systems have long been used in manufacturing, mining, energy, utilities, logistics and other industrial operations to monitor and control physical processes. But they are now becoming increasingly interconnected and integrated with other IT systems.

“Industrial OT environments have traditionally been more isolated but with the shift to digitalisation and automation, the threat levels are increasing exponentially. The lack of segmentation between IT and OT environments creates additional risks as an attacker can now gain access to OT systems by compromising an IT network,” Mr Shahin said.

A recent report by global cybersecurity firm Kaspersky titled State of Industrial Cybersecurity in the Era of Digitalisation found the most common obstacles that inhibited or delayed the implementation of industrial cybersecurity projects included the inability to stop production, and bureaucratic steps, such as a lengthy approval process and having too many decision-makers.

Every year many incidents, including high-profile attacks, are hitting industrial control systems (ICS). In June, a ransomware attack shut down US Honda manufacturing plant and US-based power grids have also come under sustained attack.

A new Gartner report predicts the financial impact of cyber attacks resulting in fatalities will be more that $US50bn by 2023.

The Secolve survey highlighted a lack of knowledge of OT systems within businesses, even among those working in related areas, as a major issue for industrial-scale companies. Just 17 per cent of the 737 respondents with OT, IT and risk responsibilities were confident in their knowledge of OT.

Of the 484 respondents that have OT as part of their business, only 9 per cent said their business had a dedicated OT team or staff member, with most businesses absorbing OT into the responsibilities of other departments, typically IT (57%).