A new global report from Claroty details a number of potential contributing factors for today's CISOs to consider, including the convergence of IT and OT roles.

The Global State of Industrial Cybersecurity report found that 74% of IT security professionals globally are more concerned about a cyberattack on critical infrastructure than an enterprise data breach. An independent survey of 1,000 full-time IT security professionals was carried out in the United States, United Kingdom, Germany, France, and Australia to determine the attitudes and concerns of IT security professionals related to operational technology (OT) security.

According to the data, more than half of industry practitioners in the U.S. (51%) believe that today's industrial networks are not properly safeguarded and need more protection, while another 55% believe that U.S. critical infrastructure is vulnerable to a cyberattack. While IT security professionals are typically tasked with protecting enterprise networks, they are notably more concerned about a cyberattack on critical infrastructure (65%) compared to an enterprise data breach (35%). In addition, a strong majority (67%) believe that a cyberattack on critical infrastructure has the potential to inflict more damage than an enterprise data breach.

In regard to timing and urgency, 63% of U.S. IT security professionals expect a major cyberattack to be successfully carried out on national infrastructure within the next five years. However, 10% say that we will not ever see one, despite ample evidence of attacks targeting energy and other related sectors. 

In contrast to the lack of confidence in the U.S., global IT security professionals (including those in the U.K., Germany, France, and Australia) have a more positive-leaning outlook. A majority of all global respondents (62%) believe that industrial networks are properly safeguarded. Those in Australia (93%) and Germany (96%) are by far the most confident in the overall safety of industrial networks.

When asked which type of cyberattack on industrial networks would be most prevalent in 2020, a majority of U.S. IT security professionals (56%) put hacking at the top of the list, followed by ransomware (21%) and sabotage (12%). There is also a strong consensus among U.S. practitioners that electric power is the most vulnerable sector of critical infrastructure (46%), followed by oil and gas (18%) and transportation (13%).

Additional key stats:

  • An overwhelming majority of U.S. IT security professionals (87%) believe that the government is responsible for properly protecting critical infrastructure from cyberattacks. This indicates how crucial it is for Chief Information Security Officers (CISOs) and IT teams to understand the importance of OT security and how it falls within their purview, as every company in the world relies on industrial networks.
  • IT and OT security practices are converging at a rapid rate due to digital transformation and the evolving threat landscape, which presents new challenges and opportunities for CISOs. Demonstrating this, a majority in the U.S. (66%) have been trained in the differences between IT and OT networks and 65% believe they have the skills and experience required to properly manage OT network cybersecurity.
  • While clearly acknowledging the urgency surrounding critical infrastructure, most U.S. respondents express little desire to work in industrial cybersecurity. A strong majority (71%) say they would rather work in IT enterprise cybersecurity than focus on industrial networks, while another 57% say they would rather work for an organization that experiences a massive data breach instead of one that suffers a critical infrastructure-related cyberattack.

"While IT and OT convergence unlocks business value in terms of operations efficiency, performance, and quality of services, it can now be detrimental because threats, both targeted and non-targeted, have the freedom to maneuver from IT to OT environments and vice versa," says Dave Weinstein, Chief Security Officer of Claroty.