According to Gartner, Inc., 30 percent of critical infrastructure organizations will experience a security compromise by 2025, resulting in the shutdown of operations- or mission-critical cyber-physical systems.
Security of critical infrastructure has become a top priority for governments around the world, with the United States, the United Kingdom, the European Union, Canada, and Australia all identifying sectors as ‘critical infrastructure,’ such as communications, transportation, energy, water, healthcare, and public facilities. Critical infrastructure is owned and operated by the government in certain nations, but private enterprise owns and operates a far bigger amount of it in others, such as the United States.
“Governments in many countries are now realizing their national critical infrastructure has been an undeclared battlefield for decades,” said Ruggero Contu, research director at Gartner.
He added, “They are now making moves to mandate more security controls for the systems that underpin these assets.”
According to a Gartner survey, 38 percent of respondents plan to raise spending on operational technology (OT) security by 5% to 10% in 2021, with another 8% expecting an increase of more than 10%.
According to Gartner, this may not be enough to compensate for years of underinvestment in this area.
“Besides the need to catch up, there is a growing number of increasingly sophisticated threats,” Contu said.
He also says, “Owners and operators of critical infrastructure are also struggling to prepare for the coming increased oversight.”
“SRM leaders should accelerate efforts to discover, map and assess the security posture of all cyber-physical systems in their environment,” said Contu.
He added, “Invest in threat intelligence and join industry groups to stay apprised of security best practices, upcoming mandates and requests for inputs from government entities.”
Critical infrastructure technologies have become more digital and networked over time — either to enterprise IT systems or to each other — posing cyber-physical system security vulnerabilities. As a result, the attack surface for hackers and bad actors of all kinds has grown significantly.
Organizations in critical infrastructure sectors should be more concerned with real-world threats to persons and the environment than with data theft. According to Gartner, by 2025, attackers will have successfully weaponized a critical infrastructure cyber-physical system to damage or kill humans.
According to Gartner, security and risk management (SRM) professionals in critical infrastructure sectors should adopt a holistic approach to security. IT, OT, and Internet of Things (IoT) security are all handled in concert.
