A cyberattack on Operational Technology (OT) has the potential to 'cripple' the overwhelming majority (83%) of US organizations, according to a poll of 100 enterprise security leaders commissioned by Sapien Cyber.

The independent study conducted by research house Norstat of US cybersecurity leads, including CSOs and CIOs found that the overwhelming majority (88%) recognize that the number of cybersecurity threats facing their business is increasing every year.  

Despite 90% of respondents working within US enterprises stating that they have evaluated the threats to Operational Technology such as heating, ventilation, and air conditioning systems, less than one-in-ten (8%) say physical security such as OT environments are taken more seriously than IT networks. Just over half (57%) said that they treat physical and cybersecurity systems as equally important, and 93% stated that their building management system was a part of the organization's cybersecurity strategy.

Glenn Murray, Managing Director and CEO of Sapien Cyber, commented: "It is clear that any attack on critical infrastructure has the potential to cause untold disruption for many organizations. This isn't just about taking a financial hit, but reputational risk and the potential of human fatalities as well.  

"President Biden's meeting with Vladmir Putin earlier this year signalled how seriously attacks to critical infrastructure are taken at the very highest levels of Government." 

Recent evidence from the Cyber Security and Infrastructure Agency (CISA) suggests that cybercriminals are increasingly targeting Operational Technology with ransomware attacks, particularly against critical infrastructure.    

The Colonial Pipeline cyberattack earlier this year demonstrated the risks involved in not protecting critical national infrastructure to the highest degree. Cybercriminals were able to successfully deploy a ransomware attack, resulting in a huge pay-out and significant disruption to gas supplies across the East Coast. This became one of the most high-profile cyberattacks where consumers saw the potential for large-scale, tangible impact on their lives, which is a sign of things to come.   

A further example was the ransomware attack against FedEx back in 2017 that targeted their TNT Express Division and ended up costing the company USD300 million. Another example was the LockBit ransomware gang's successful cyberattack against Bangkok Airways in 2021, who threatened to release passenger information such as passport and credit card details if the ransom wasn't paid. 

In other findings, 95% of cybersecurity leaders admitted that they could make improvements to their holistic and real-time monitoring of cyberthreats. While 64% of respondents said that the COVID-19 pandemic caused significant disruption for their cybersecurity teams. 

General James Clapper, former Director of National Intelligence (US) under the Obama administration and board member at Sapien commented: "Organizations have faced a number of challenges throughout the COVID-19 pandemic, which has left the door open for opportunistic cybercriminals to take advantage. With almost two-thirds of cybersecurity leaders suggesting they have felt major disruption to their day-to-day cyber operation, this is a major cause for concern

"Administrations in the Western world are pushing for more stringent cybersecurity practices, and the evidence within this survey suggest more must be done to protect critical assets from immediate danger." 

View the full report: C-Suite's Guide to Cyber Risks.