Critical National Infrastructure (CNI) is vital to keeping the nation running. Countless headline-grabbing cyber attacks in recent years have highlighted that no sector is exempt from growing online threats. As operation technology (OT) systems across the CNI sector become increasingly connected and parameters of robust security measures continually shift, security must be front and centre for CNI organisations moving forward.
Encouragingly, our latest research reveals that 78% of CNI organisations are confident that their OT systems are protected from cyber threats. However, in the same survey, an overwhelming majority (86%) of respondents said their organisations had detected cyber attacks on their OT or industrial control systems (ICS) in the last 12 months, with 93% of these experiencing at least one successful attack. So why are security decision makers feeling so optimistic in the face of escalating cyber threats?
Confidence could in part be due to security measures in place, with an overwhelming majority of organisations (99%) carrying out security assurance activities. Activities used are varied with the top three assurance activities being penetration testing (42%), risk assessments (39%) and red/blue/purple team assessments (37%). Security incident response testing was the bottom of the list. This could be due to lack of budget, however, without testing, many will lack the knowledge or confidence to successfully manage incidents.
The good news is that three quarters of those surveyed expect investment in cyber security to increase within the next 12 months, with 39% saying it will increase moderately and 27% saying significantly.
And when asked specifically about focus areas for the next 12 months, the biggest areas identified were: introducing new methods of security testing (28%), investing in cyber security technology (28%) and more regular patching and updates (27%).
Looking ahead to 2025
As anyone in business knows, 12-months can go by in the blink of any eye. Therefore, it’s important to look ever further ahead and understand the challenges cyber security teams expect to come up against in the next five years.
The biggest challenges cyber security teams expect to face by 2025 are understanding new technology (24%), budget constraints (20%) and increased pressure to prevent against cyber attacks (20%).
Perhaps most worrying is the evident lack of cyber security skills that decision makers openly admit will become a growing problem. While nearly three quarters believe they have the right skills in place now, 84% believe the UK’s CNI industry will be impacted by a critical cyber security skills shortage in the next 3 to 5 years.
It’s widely accepted that OT is a particular challenge when it comes to cyber security skills. However, the acknowledged skills gap in cyber security is made even broader around OT and SCADA as cyber security experts don’t necessarily have the skills to apply this knowledge to SCADA-based infrastructures and vice versa.
The expert verdict
As an independent cyber security and data privacy consultancy that works with CNI organisations, we believe that there are nuances in how some CNI organisations perceive their cyber security posture versus reality. A lot of good work is being done by CNI organisations to improve security, such as following the NIS directive and security assurance activities including penetration testing and red team assessments. However, it’s important not to get complacent and this means improving education around cyber risks and how to prevent them to help the industry close up any vulnerabilities.