Australian OT (operational technology) cybersecurity company Secolve published a report on the precarious cybersecurity of critical infrastructure and industrial environments. Secolve surveyed senior professionals working in energy, manufacturing, water, mining, oil and gas, and critical infrastructure supply chains to understand the state of cybersecurity in these environments. The data shows that OT cybersecurity training is typically deficient, infrequent, or ignored entirely, and that organisations’ OT security culture is still immature.
A quarter of Secolve respondents (24%) reported that they have never conducted OT specific training, and 21% had only done so during onboarding. The report shows that this is an issue of quality, as well as frequency. Only 11% of respondents said that their training was ‘practical’ for their work environment. While 42% said it was too IT-focused. Given how regularly these businesses are targeted by cybercriminal groups and the influx of internet-connected devices in industrial environments, Secolve warns that organisations are underprepared and untrained.
“OT cybersecurity training is infrequent, weak and generic,” said Secolve CEO, Laith Shahin. “Engineers, technicians and miners work in hazardous environments surrounded by tech, powerful robotics and large autonomous machines. Many will get OT cybersecurity training in their first week, then never again. Some will never have OT cybersecurity training at all, and will simply have the same IT training as their desk job colleagues. Frankly, it’s utterly nonsensical to give the same cybersecurity training to people regardless of whether they work behind a desk, in a mining pit, from factory floor, or energy plant. Training them all the same is like not training them at all.”
The report also highlights the weakness and immaturity of OT cybersecurity in industrial and critical infrastructure environments. Respondents cited OT risks such as securing remote access and third-party connections, identifying suspicious behaviour in control systems, and managing USB/removable media risks as top priorities. However, only half (55%) were confident of front-line staff’s ability to identify and report suspicious activity, and only 15% would describe their OT security awareness culture as ‘strong.’
“The immaturity of OT cybersecurity and lack of training is alarming, but hardly surprising. OT cybersecurity is still incredibly immature in Australia,” continued Shahin. “Organisations are starting to recognise OT cybersecurity as a priority, but most remain stuck in compliance-driven, IT-centric training models. For these organisations to mature, they must adopt continuous, role-specific, scenario-driven, and gamified learning that is integrated into daily operations and safety frameworks.”
Click here to see the original article.
The same report can also be seen in the Australian Cybersecurity Magazine here.