• In the Energy report, companies in the sector (84%) include cybersecurity in operational environments in their current roadmap. The Industry report reveals that their organisations consider this strategy relevant, but only in the future (46%).

 

• The SIA 2023 OT Cybersecurity Barometer analyses the current level of maturity in this area and the level expected in two years' time in a group of representative companies in the Energy, Industry and Consumer sectors in Spain and Portugal.

 

Madrid, 21 November 2023. - SIA, Indra's leading cybersecurity company, today presents the results of its OT Cybersecurity Barometer 2023. The report indicates that there is still room for improvement in the Industry and Consumer and Energy sectors in the protection of operational environments. Even so, energy companies (84%) are more aware of the relevance of having a roadmap where security in these environments is a priority, compared to 46% of companies in Industry and Consumer, which also consider this strategy important, but see it being given greater impetus in the near future.

 

Digital transformation favours the opening up of OT environments by connecting their assets to the IT world, the internet or the cloud, in order, above all, to improve their productivity and efficiency. This combination brings with it many benefits, but also leaves visible vulnerabilities and increases cybersecurity risk levels. To address them and ensure business continuity, protect critical business information and strengthen security in all elements and stages of the value chain, it is necessary to apply specific measures appropriate to these environments. And even more so in critical sectors for society, where it is essential that production does not stop at any time due to the impact this would have on all levels: economic, reputational, cessation of activity or even loss of human lives.

 

SIA, through its barometer, has assessed the level of OT cybersecurity maturity of a group of representative companies in the Energy, Industry and Consumer sectors in Spain and Portugal. The report, which was carried out through personal interviews with management profiles and experts from these companies, the analysis of SIA specialists and the collaboration of Minsait (Indra), reveals the current state of cybersecurity and the two-year plans in this area and sectors.

 

With this X-ray, SIA affirms that cybersecurity "continues to be a strategic area that must become stronger in these companies to achieve an optimum level of protection", as Roberto Espina, CEO of SIA, points out, who also adds that "the challenge is to evolve towards the paradigm of the Protected Organisation in the operational sphere; something that requires a specialised and comprehensive approach to cover the demands of a cyber-resilient production environment: to understand and apply cybersecurity in the design, deployment and operation of any project".

 

OT cybersecurity: the ambition of Industry 4.0

 

Although OT cybersecurity is an area that still has room for improvement in the companies that took part in the study, Industry and Consumption has a greater margin than Energy. However, the industrial companies' future commitment to OT cybersecurity is firmer, since, although most of them do not have it as a priority in their strategy today, almost half (46%) of those interviewed foresee its promotion and development between 2023 and 2025.

 

On the other hand, only a quarter of the companies apply the good cybersecurity practices defined by internationally recognised and sector-specific standards, and most do not comply with the analysis of specific risks in the OT ecosystem (93%). Furthermore, only 24% have specific cybersecurity awareness programmes in place in the operational environment. In terms of digital asset protection, only 23% have advanced tools to protect digital assets in the OT environment, although in identity management, the results are somewhat more favourable, with the management of privileged accounts as a pending issue. In addition, digital access control with MFA (Multi Factor Authentication) is present in 61% of organisations.

 

Overall, the biggest challenge for the industry is to define a roadmap that will allow it to make great strides in increasing its competence in OT cyber security. A necessary leap is also the introduction of advanced techniques and technologies in threat detection, such as AI, UEBA, Red Team or Blue Team. Similarly, increasing the frequency with which penetration tests are performed to ensure a more effective and efficient response.

 

A more cyber-resilient energy sector

 

OT cybersecurity is relevant to the strategy of 84% of energy companies, whose senior management is committed to this aspect. In addition, 68% of companies claim to have the specialised talent needed to implement and execute it, but just under half have incorporated a dedicated CISO for OT.

 

The Barometer highlights that all energy companies follow the best practices defined by international and sector-specific security regulations, and a good number of them (76%) have also defined their own OT cybersecurity strategy with respect to compliance with the reference control framework and analysis of specific risks. On the other hand, 53% use advanced digital asset protection solutions and 69% have automated inventory tools. And, as in the case of Industry and Consumer Goods, the majority of energy companies (84%) are committed to controlling their digital access in the operational environment with MFA.

 

On the other hand, one of the challenges in Energy is to put more focus on access control to plants or facilities (85% do not apply advanced measures for this) which, like digital ones, also have an impact on the company's protection. Also, as in the industrial sector, more frequent intrusion testing of OT systems and industrial networks is needed, as well as the integration of advanced threat detection mechanisms and technologies.

 

SIA, following the presentation of the results of its OT Cybersecurity Barometer 2023, has a single purpose: to help organisations identify these risks and protect their information and critical assets, and to guide them, based on its expertise, towards sustainable and secure growth.