Key Takeaways
- OT cybersecurity training is often deficient, infrequent, or ignored in critical infrastructure and industrial environments.
- A quarter of respondents reported never having conducted OT-specific training, and 21% had only done so during onboarding.
- OT security culture is still immature, with only 15% of respondents describing their OT security awareness culture as ‘strong’.
- Organisations are underprepared and untrained to face cyber threats, despite being regularly targeted by cybercriminal groups.
- There is a need for continuous, role-specific, scenario-driven, and gamified learning that is integrated into daily operations and safety frameworks.
Introduction to OT Cybersecurity
The state of cybersecurity in critical infrastructure and industrial environments is a pressing concern, as highlighted by a recent report published by Australian OT cybersecurity company Secolve. The report surveyed senior professionals working in various industries, including energy, manufacturing, water, mining, oil and gas, and critical infrastructure supply chains. The findings reveal a disturbing lack of preparedness and training in OT cybersecurity, leaving organisations vulnerable to cyber threats. The report’s findings are a wake-up call for organisations to reassess their approach to OT cybersecurity and invest in effective training and awareness programs.
The State of OT Cybersecurity Training
The report’s findings on OT cybersecurity training are alarming, with a quarter of respondents (24%) reporting that they have never conducted OT-specific training. Furthermore, 21% had only done so during onboarding, highlighting the issue of infrequency and lack of ongoing training. The quality of training is also a concern, with only 11% of respondents saying that their training was ‘practical’ for their work environment. A significant 42% of respondents felt that their training was too IT-focused, which is not suitable for the unique challenges of OT environments. This lack of effective training leaves organisations underprepared to face the increasing number of cyber threats targeting industrial and critical infrastructure environments.
The Consequences of Inadequate Training
The consequences of inadequate OT cybersecurity training are far-reaching and potentially devastating. As Secolve CEO Laith Shahin noted, "OT cybersecurity training is infrequent, weak and generic." The lack of tailored training for OT environments means that engineers, technicians, and miners are not equipped to identify and respond to cyber threats effectively. This is particularly concerning given the hazardous nature of their work environments, where powerful robotics and large autonomous machines are common. The fact that some employees may never receive OT cybersecurity training or receive the same training as their desk-based colleagues is, as Shahin put it, "utterly nonsensical."
The Immaturity of OT Cybersecurity
The report also highlights the weakness and immaturity of OT cybersecurity in industrial and critical infrastructure environments. Respondents identified key risks such as securing remote access and third-party connections, identifying suspicious behaviour in control systems, and managing USB/removable media risks as top priorities. However, only half (55%) of respondents were confident in the ability of front-line staff to identify and report suspicious activity, and a mere 15% would describe their OT security awareness culture as ‘strong’. This lack of maturity and awareness is a significant concern, given the critical nature of these environments and the potential consequences of a cyber attack.
The Need for Improved Training and Awareness
The report’s findings emphasize the need for organisations to adopt a more effective approach to OT cybersecurity training and awareness. As Shahin noted, "Organisations are starting to recognise OT cybersecurity as a priority, but most remain stuck in compliance-driven, IT-centric training models." To mature, organisations must adopt continuous, role-specific, scenario-driven, and gamified learning that is integrated into daily operations and safety frameworks. This approach will help to ensure that employees are equipped to identify and respond to cyber threats effectively, reducing the risk of a successful attack and protecting critical infrastructure and industrial environments. By investing in effective OT cybersecurity training and awareness programs, organisations can help to mitigate the risks associated with cyber threats and ensure the safety and reliability of their operations.
