OT security team shortage threatens protection in every fifth industrial organization
Kaspersky’s recent report, “The seven keys to improving OT security outcomes,” shows that, according to 19% of industrial companies, a lack of operational technology (OT) security professionals is threatening their cyber protection. Overall, 66% of survey respondents have faced significant OT security staffing challenges, such as overloaded employees and difficulties attracting qualified personnel. The report also revealed a general lack of investment in staffing and salaries.
Industry players have confirmed that the demand for OT/ICS security skills and specific expertise has been on the rise for the last several years, due to threat escalations and the increased prevalence of IT/OT security frameworks and regulations.
According to the Kaspersky’s survey, industrial organizations have experienced significant staffing issues, including those related to the lack of cybersecurity experts (19%), staff overloading (46%) and staff turnover (30%). Only 4% reported feeling absolutely no pressure in regards to human resources.
The report names underfunding as one of the possible reasons for this gap between the supply and demand of qualified employees. A lack of finances has led to a reduced headcount, with staffing being the most underfunded aspect of OT/ICS cybersecurity in every second organization (55%). Another 35% of respondents also named low salaries and compensations as a particular concern.
Overall, just under half (43%) of industrial organizations have dedicated OT/ICS security teams. Given the difficulty of recruiting skilled industrial cybersecurity specialists, many organizations are looking into outsourcing, with 58% already relying more heavily on external OT security service providers since the pandemic.
“To organize the cyberprotection of an industrial enterprise, turning to a professional team, like a managed security service provider (MSSP), is an effective option. However, if a business needs to have its own team of professionals, then they can involve expert organizations and CERTs (Computer Emergency Response Teams) like Kaspersky ICS CERT, with expert knowledge in finding vulnerabilities, detecting threats and investigating cyber-incidents who can train an in-house team to do the same. In addition to training OT cybersecurity professionals, it is also necessary to ensure that other staff members are aware of cybersecurity issues. Training in this area can be delivered through dedicated awareness programs, including face-to-face, online and e-learning courses. This can be a legal requirement for critical infrastructure enterprises,” comments Dmitriy Petrovichev, ICS CERT Service Group Manager at Kaspersky.
Kaspersky suggests the following steps to mitigate the gap in OT/ICS security expertise:
- Improve general security awareness of any employees that interact with industrial computers to minimize the risk of attacks due to human error. These include basic practices like not using ICS machines for personal needs or installing unauthorized software on them.
- Look into cybersecurity courses for IT/OT managers and engineers. Kaspersky ICS CERT suggests onsite security awareness training for IT, IT security and ICS specialists, an online module in Kaspersky Automated Security Awareness platform, along with in-depth professional courses on digital forensic and incident response.
The full report, “Kaspersky ICS Security Survey 2022: The seven keys to improving OT security outcomes” is available for download here.