Web3 Development Report
[real3dflipbook pdf="https://www.bizzboard.com/wp-conte...
The State of Industrial Security 2022
Industrial security: Challenges and opportunities Security for the industrial internet of things (IIoT) and operational technology (OT) is in its infancy in many organizations. Several
factors — including security incidents — are driving awareness and
improvements. There’s certainly plenty of room for both, considering
more than 90% of organizations surveyed acknowledged experiencing
a security incident in the last 12 months.
From web application attacks to distributed denial-of-service (DDoS)
attacks and everything in between, global businesses are dealing with
a wide range of potential cybersecurity risks. In addition, respondents
are also concerned about the impact that the current threat landscape
and geopolitical situation could have on their organizations. While that
largely sits outside an organization’s control, it impacts them in some
shape or form and is a concern.
3
| Barracuda • THE STATE OF INDUSTRIAL SECURITY IN 2022
Security threats are rife, and organizations should
be protecting themselves, especially those in
the critical sectors, such as oil and gas. Just one
Methodology
successful supply-chain attack can have wide-
Barracuda commissioned independent
reaching, catastrophic impacts. Indeed, the high
market researcher Vanson Bourne to
level of incidents underscores the vital need
conduct a global survey of senior IT
for IIoT/OT security to adequately protect all
managers, senior IT security managers,
organizations, in every sector.
and project managers responsible for
This report takes an in-depth look at IIoT/OT
security projects, implementation challenges,
security incidents, technology investments, and
a variety of issues related to cybersecurity risks.
IIoT/OT in their organization. There were
800 survey participants from a broad
range of industries, including agriculture,
biotechnology, construction, energy,
government, healthcare, manufacturing,
retail, telecommunications, wholesale,
and others. Survey participants were
from the U.S., Europe, and Australia.
In Europe, respondents were from the
United Kingdom, France, Germany, Austria,
Switzerland, Belgium, the Netherlands,
Luxembourg, Denmark, Finland, Norway,
and Sweden. The survey was fielded in
April 2022.
4
| Barracuda • THE STATE OF INDUSTRIAL SECURITY IN 2022
FINDING #1
Most organizations
have experienced
security incidents
Initially, we asked respondents about their general feelings and
concerns about the threat landscape to get an indication of how
much awareness this topic gets and to help put the rest of their
responses in context.
How concerned are you about the current threat
landscape and geopolitical situation in terms of the
impact it may have on your organization?
Respondents from the U.S. and Australia are most likely to be
(n=800)
region but also by industry.
very concerned, while respondents from France are the least
likely to be concerned. The level of concern not only varies by
2%
41%
10%
2%
20%
4%
28%
3%
Central,
federal, and
local gov
3%
Fairly concerned
Very concerned
60%
28%
38%
40%
60%
52%
50%
Telecom
Retail
Oil and gas
Wholesale
2%
3%
13%
4%
56%
1%
14%
9%
Not very concerned
Not concerned at all
68%
10%
10%
%
47
78%
10%
42%
43%
Energy, power
generation,
and utilities
3% 5%
21%
65%
26%
29%
55%
71%
Overall, respondents are concerned about the impact that the
current threat landscape and geopolitical situation will have on
37%
their organizations, with 88% very or fairly concerned. While the
current threat landscape and geopolitical situation is something
that largely sits outside an organization’s control, it impacts
them in some shape or form and is a concern for organizations.
5
| Barracuda • THE STATE OF INDUSTRIAL SECURITY IN 2022
Manufacturing
33%
32%
32%
Distribution
and
transportation
Healthcare
(public & private)
Mining and
metals
20%
20%
Biotechnolgy,
chemicals, and
pharmaceuticals
Agriculture,
forestry, and
fishing
Very concerned
Fairly concerned
Not very concerned
Not concerned at all
5.38%
Understandably, concern is more prevalent in sectors likely to
By industry
feel the effects of the current threat and geopolitical landscape.
Government respondents are the most likely to be very
concerned. The overall level of concern, when looking at those
who are both very and fairly concerned, is also high among other
Central, federal,
and local gov
100%
Mining and metals
100%
Oil and gas
100%
critical sectors, including oil and gas and healthcare. Critical
sectors will be on high alert during periods of uncertainty, as any
impacts could have wide-reaching implications.
Telecommunications
99%
Agriculture, forestry,
and fishing
98%
Wholesale
98%
Manufacturing
98%
Next, we wanted to better understand the security situation in
industrial environments.
Has your organization experienced a security
incident in the last 12 months?
(n=800)
5.38%
0.2
5%
Distribution and
transportation
96%
Healthcare (public
and private)
94%
Retail
93%
Energy, power
generation, and utilities
85%
Biotechnology, chemicals,
and pharmaceuticals
9 4.3 8
%
Experienced an incident
82%
By geography
99%
U.S.
Has not experienced any incidents
98%
UK
Don’t know
Most organizations (94%) have experienced some sort of security
incident in the last 12 months, which is a surprising and alarmingly
high number.
Looking at the detailed results by region and industry,
this appears to be a general problem.
Nordics
92%
DACH
92%
Australia
France
6
| Barracuda • THE STATE OF INDUSTRIAL SECURITY IN 2022
97%
Benelux
90%
89%
All government, mining and metals, and oil and gas respondents
Because so many organizations have been hit by a security
say they’ve experienced at least one incident. Given the critical
incident, we wanted to know more details, especially about the
nature of some of these sectors, it’s essential they bolster security
impact and duration of these incidents.
to avoid disastrous impacts.
How long were your organization’s operations impacted due to the most
significant security incident experienced in the last 12 months?
(n=715)
43%
22%
19%
13%
Operations were impacted
for less than a day
Operations were
impacted for 1 day
Operations were
impacted for 2 days
Operations were
impacted for 3 days
2%
1%
Operations were
impacted for 4 days
Operations were
impacted for 5 days
87% of organizations that experienced an incident were impacted between one and five days.
On average, it took organizations 1.84 days to resolve the issue. Looking at the provided
severity of the impact of those incidents explains why it took so much time to remediate.
Q: What impact did the most significant security incident experienced
in the last 12 months have on your organization’s operations?
(n=755)
Impact average days
11%
Total
UK
France
9%
Nordic
Australia
U.S.
7
36%
39%
4%
10%
2%
48%
20%
7%
42%
49%
7%
34%
9%
46%
16%
29%
38%
48%
31%
5%
1.72
1.91
2%
9%
1.71
1.81
4%
31%
62%
8%
1.84
5%
50%
40%
DACH
Benelux
47%
1.63
1.87
2.05
Significant impact (complete shutdown of all devices and locations)
Moderate impact (a large number of devices or several locations were impacted)
Minimal impact (a few devices or one location was impacted)
No impact was experienced
| Barracuda • THE STATE OF INDUSTRIAL SECURITY IN 2022
Those in the DACH region (Germany, Austria, and Switzerland) and those in the U.S. were
more likely to experience significant impacts from their most significant security incident in
the last 12 months. Those in the U.S. were impacted for an average of just over two days.
Experiencing a complete shutdown of all devices and locations for this length of time can
have catastrophic implications for organizations, and it’s a situation that can be avoided by
making relatively modest investments in security.
Impact average days
Agriculture, forestry, and fishing
Biotechnology, chemicals, and pharmaceuticals
9%
12%
Energy, power generation, and utilities
Healthcare (public and private)
5%
15%
11%
Manufacturing
8%
Mining and metals
8%
48%
56%
9%
56%
37%
33%
49%
44%
Telecommunications
11%
38%
Wholesale
11%
37%
45%
31%
68%
51%
Retail
1.91
3%
1.63
4%
1.73
2%
2.06
3%
1.81
1.94
32%
53%
35%
3%
44%
58%
13%
Oil and gas
28%
36%
31%
Central, federal, and local gov
Distribution and transportation
60%
16%
41%
3%
1.88
3%
1.78
7%
1.79
20%
1.85
5%
2.18
5%
1.54
3%
Significant impact (complete shutdown of all devices and locations)
Moderate impact (a large number of devices or several locations were impacted)
Minimal impact (a few devices or one location was impacted)
No impact was experienced
When combining significant and moderate impacts, the scale of these incidents demonstrates
how some organizations have been struggling.
While government organizations are still the most likely to have experienced a significant or
moderate impact, those in wholesale; and agriculture, forestry, and fishing also have over
two-thirds of respondents reporting the same. Given the impacts include a complete shutdown
or many devices being impacted, organizations cannot afford to become complacent in
this area.
8
| Barracuda • THE STATE OF INDUSTRIAL SECURITY IN 2022
FINDING #2
The most common
attack vectors
To get the next level of detail around security incidents that have
significantly impacted operations, we asked respondents about the
attack types their organization has experienced in the past year.
Which of the following security incidents has your
organization experienced in the last 12 months?
The most common incidents were web application attacks,
(n=800)
compromised remote access.
42%
Web application attacks
Malicious external hardware or removable media
Distributed denial of service (DDoS)
9
37%
never be exposed. The issues with malicious external hardware
Compromised supply chain
34%
Data theft
31%
API attacks
31%
Ransomware
31%
| Barracuda • THE STATE OF INDUSTRIAL SECURITY IN 2022
future, as automation increases, APIs will be a bigger target
for attacks. APIs and management interfaces, which are not
35%
24%
Web applications and APIs are popular attack vectors. In the
38%
Compromised remote access
Other malware
malicious external hardware or removable media, DDoS, and
intended for public access, need robust protection and should
and removable media, like USB sticks, were ranked surprisingly
high. IoT/OT environments require temporary third-party access
for maintenance as well as troubleshooting. The high ranking of
compromised remote access shows the urgency for getting this
fixed.
Another finding was that organizations with more devices
experience more attacks, especially in the top attack categories.
Interestingly, ransomware attacks are more evenly distributed
across organizations with differing numbers of devices.
Security incidents experienced in the organization in the last 12 months
80%
40%
65%
63%
60%
29%
34%
40%
51% 48%
58%
49% 48%
27% 24%
34%
24%
33% 35%
44% 45%
20%
0%
Web application attacks
Malicious external hardware or removable media
Distributed denial of service (DDoS)
80%
60%
46%
40%
30% 29% 31%
56%
52%
35%
26% 26%
36% 37% 33%
31%
36%
30% 27% 32%
25%
20%
0%
Compromised remote access
Compromised supply chain
Ransomware
1–2,000 IIoT/OT devices or cyber-physical systems
2,001–3,000 IIoT/OT devices or cyber-physical systems
3,001–4,000 IIoT/OT devices or cyber-physical systems
4,001–5,000 IIoT/OT devices or cyber-physical systems
5,001–6,000 IIoT/OT devices or cyber-physical systems
6,001 or more IIoT/OT devices or cyber-physical systems
The high level of incidents underscores the vital need for IIoT/OT
In some critical sectors, organizations experienced fewer
security to adequately protect all organizations. This is probably
incidents. In biotechnology, chemicals, and pharmaceuticals,
why 96% agree their organization needs to invest more in the
nearly 20% had no incidents in the last 12 months. In energy,
security of IIoT and OT.
power, and utilities, 15% had no incidents in the last 12 months.
Overall, we see significant differences in both probability and
attack vector across different industry verticals.
10
| Barracuda • THE STATE OF INDUSTRIAL SECURITY IN 2022
Security incidents experienced in the organization in the last 12 months
60%
47%
36%
40%
51%
40%
31%
43%
57%
49%
47%
38%
38%
44%
20%
0%
Web application attacks
60%
37%
40%
31%
40%
46%
40%
29%
55%
53%
40%
35%
33%
41%
20%
0%
Malicious external hardware or removable media
60%
53%
40%
32%
28%
36%
22%
31%
47%
37%
45%
38%
35%
20%
20%
0%
Compromised remote access
60%
40%
22%
27%
27%
45%
36%
26%
39%
29%
27%
20%
33%
31%
21%
0%
Compromised supply chain
11
Agriculture, forestry, and fishing
Biotechnology, chemicals, and pharmaceuticals
Central, federal, and local gov
Distribution and transportation
Energy, power generation, and utilities
Healthcare (public and private)
Manufacturing
Mining and metals
Oil and gas
Retail
Telecommunications
Wholesale
| Barracuda • THE STATE OF INDUSTRIAL SECURITY IN 2022
FINDING #3
Organizations are
investing in security
To put the rather frightening results of the security incidents and
successful attacks into perspective, we asked respondents how
far their organization’s operational technology and industrial IoT
security projects had progressed.
What stage is your organization at when it comes to IIoT/OT security projects?
(n=800)
32%
Total
40%
50%
Oil and gas
Telecommunications
48%
Energy, power generation, and utilities
46%
Retail
45%
Government
44%
10%
17%
Healthcare
17%
Distribution and transportation
40%
4%
21%
3%
24%
54%
30%
36%
33%
48%
We will be starting an IIoT/OT security
project in the next 6 months
We will be starting an IIoT/OT security
project in the next 12 months
12%
15%
44%
We are in the process of completing
IIoT/OT security projects
3%
27%
34%
38%
3%
6%
6%
13%
24%
We have already completed
some IIoT/OT security projects
| Barracuda • THE STATE OF INDUSTRIAL SECURITY IN 2022
7%
10%
54%
Wholesale
1%
2%
20%
35%
21%
Biotechnology, chemicals, and pharmaceuticals
6%
17%
26%
24%
Manufacturing
12
32%
42%
Mining and metals
Agriculture, forestry, and fishing
21%
1%
5%
1%
12%
25%
47%
5%
2%
11%
11%
We will be starting an IIoT/OT security
project in the next 3 months
2%
2%
Organizations are facing a multitude of hurdles when it comes to IIoT/OT security
projects, leaving their networks and infrastructure open to the risks of security
incidents. Many organizations are in their infancy when it comes to IIoT/OT security
projects. Overall, while 72% are at least in the process of completing these projects,
only just under a third have already done so.
Oil and gas are the furthest ahead when it comes to completing some IIoT/OT
security projects. Agriculture, forestry, and fishing are much less likely to have done
this. In biotechnology, chemicals, and pharmaceuticals, only a fifth of respondents
have completed projects. Manufacturing and healthcare are also among the lowest.
Given the impacts if some of their devices are hacked, it should be a larger focus for
all sectors.
We thought it would be interesting to analyze the state of IIoT/OT security projects
not just by vertical, but also by the size of the organization.
48%
50%
39%
40%
30%
34% 32%
37% 39%
31%
27%
22% 23%
20%
23%
17%
10%
2%
0%
We have already
completed some IIoT/OT
security projects
500–999 employees
We are in the process
of completing IIoT/OT
security projects
We will be starting an
IIoT/OT security project
in the next 3 months
1,000–2,999 employees
6%
10%
4%
We will be starting an
IIoT/OT security project
in the next 6 months
3,000–4,999 employees
0% 0% 1%
2%
We will be starting an
IIoT/OT security project
in the next 12 months
5,000 or more employees
Analyzing the state of IIoT/OT security projects when grouping
We also wanted to know if organizations implement IIoT/OT
organizations by the number of employees, apparently
security on their own or if they work with external experts on
enterprises with more than 5,000 employees are more likely to
these types of projects.
have completed projects already, whereas the majority of small
companies are still working on it.
13
| Barracuda • THE STATE OF INDUSTRIAL SECURITY IN 2022
Did your organization consult an external security
specialist when developing its current IIoT/OT strategy?
(n=800)
71%
66%
49%
Combination of “We consulted an external
OT security specialist” and “We consulted
an external IT security specialist”
45%
Combination of “We consulted an
external IT security specialist” and
“We worked with an in-house team”
31%
Combination of “We consulted an
external OT security specialist” and
“We worked with an in-house team”
We consulted an external
IT security specialist
We consulted an external
OT security specialist
We worked with
an in-house team
Combination of “We consulted an external
OT security specialist” and “We consulted
an external IT security specialist” and “We
worked with an in-house team”
Organizations are more likely to be looking to both external IT and OT security
specialists when developing their current IIoT/OT security strategies, rather than
just relying on their in-house teams. The majority sought external help to develop
their IIOT/OT security strategies.
14
| Barracuda • THE STATE OF INDUSTRIAL SECURITY IN 2022
28%
18%
FINDING #4
Security measures
do help
Next, we’ll be reviewing to what extent industrial security projects
mitigate the risks implied by the ever-evolving threat landscape.
To highlight the requirement for security, we compared the state
of IIoT/OT security projects with the most significant impact
experienced after an incident.
What impact did the most significant security incident experienced
in the last 12 months have on your organization’s operations?
(n=755)
Significant impact (complete shutdown of all devices and locations)
Moderate impact (a large number of devices or several locations were impacted)
Minimal impact (a few devices or one location was impacted)
No impact was experienced
We have already completed some IIoT/OT security projects
38%
30%
30%
32%
41%
27%
36%
42%
75%
We are in the process of completing IIoT/OT security projects
23%
8%
18%
We will be starting an IIoT/OT security project
Investments in security are paying off for organizations
There are a variety of different technologies available,
by reducing the impact of incidents when they happen.
though, so we also wanted to know which security measures
Organizations that have already completed some IIoT/OT
organizations have implemented and how it improved their
security projects are more likely to not experience an impact.
IIoT/OT security posture.
15
| Barracuda • THE STATE OF INDUSTRIAL SECURITY IN 2022
“We have already implemented the below technologies”
100%
98%
95%
75%
80%
66% 70%
93%
84%
68%
76%
79%
68%
80%
75%
60%
69% 64%
79%
90%
73%
72%
64%
90%
77%
67% 72%
88%
79%
69% 72%
40%
20%
0%
Industrial protocol detection
and enforcement
Antivirus or IPS
No impact was experienced
Segmentation
Web application firewall (WAF)
Minimal impact
Moderate impact
Anomaly detection
Advanced Threat Protection
Network traffic encryption
Significant impact
All these technologies are valuable in reducing impacts, especially industrial protocol detection
and enforcement and anti-virus/IPS.
Overall, out of respondents that already implemented IIoT/OT security and think it works well,
enterprise organizations represent the majority, and it seems smaller businesses have made less
progress in implementing their security strategy. There is a clearly visible relation between the
implementation status of security measures and the size of the organization.
Already implemented and works well
50%
40%
30%
27%
34% 36%
42%
31%
35%
42% 41%
40%
46%
39%
48%
42%
35%
25% 25%
39%
48%
43%
29% 27%
40%
24%
27%
39%
26%
43%
31%
20%
10%
0%
Industrial protocol detection
and enforcement
500–999 employees
Antivirus or IPS
Web application firewall (WAF)
1,000–2,999 employees
Segmentation
3,000–4,999 employees
Anomaly detection
5,000 or more employees
Security and technology adoption is generally higher in enterprise organizations, and the
largest organizations are successfully implementing more advanced security technologies.
However, organizations still face a variety of challenges when it comes to implementing IoT
security projects, which is perhaps why so many have had projects fail.
16
| Barracuda • THE STATE OF INDUSTRIAL SECURITY IN 2022
Advanced Threat Protection
Network traffic encryption
Why, if at all, have any previous IIoT/OT security
projects failed within your organization?
60%
48%
(n=755)
60%
40%
0%
20%
40%
60%
80%
57%
39%
57%
48% 31% 31%
100%
31%
31% 31%
93%
25%
25%
0%
20%
The technology took
too long to implement
55%
The technology
was too expensive
41%
No one in the organization took
clear responsibility for the project
39%
We couldn’t source technology
that met our needs
We’ve not had any IIoT/OT
security projects fail
31%
47%
39%
40%
20%
Have had IIoT/OT
security projects fail
47%
500–999 employees
0%
60%
60%
40%
38%
7%
40%
20%
60%
50% 50%
500–999 employees
60% 41%
50% 50%
1,000–2,999 employees
55%
1,000–2,999 employees
48%
45%
55%
29%
41%
45%
48%
29%
0%
20%
3,000–4,999 employees
93% had a failed project, due to a variety of challenges related
to technology and costs. The top challenge, according to more
than half of the respondents, was that implementation took too
0%
5,000 or more employees
The technology took too long to implement
3,000–4,999 employees
5,000 or more employees
The technology was too expensive
long. Costs have also held back organizations; 41% of those
No one in the organization took clear
The technology took too long to implement
responsibility for the project
with failed projects said the technology was too expensive.
We couldn’t
source
that met our needs
The
technology
wastechnology
too expensive
Organizations are in dire need of a streamlined, simple, and
No one in the organization took clear
responsibility for the project
cost-effective approach to manage and run their IIoT/OT security
projects, to help reduce the risk of impact from security incidents.
Reasons for failed projects vary depending on the size of
the organization.
We couldn’t source technology that met our needs
Cost is less of a problem for large organizations. Instead,
responsibility and technological requirements are the most
common problems for these organizations.
17
| Barracuda • THE STATE OF INDUSTRIAL SECURITY IN 2022
In addition to the challenges they actually faced, organizations have
and expect to face a variety of implementation challenges when it
comes to IoT security projects.
Which of the following challenges did/do you think
your organization would/will face when implementing
IIoT/OT security projects?
(n=793)
Scalability of the solution
39%
The level of security provided by the solution
39%
Lack of control over external devices joining the network
36%
Challenges of a distributed environment
36%
The time it takes to implement the project
35%
Dealing with a number of different vendors
34%
Lack of technical knowledge
34%
32%
Dealing with legacy infrastructure
The cost of the project
27%
Nearly all respondents say their organization has or expects to face
challenges when implementing IIoT/OT security projects, including
scalability, security, technical knowledge, and cost.
39% of respondents stated that scalability of the solution is
a main concern, so we did a deeper analysis by vertical.
18
| Barracuda • THE STATE OF INDUSTRIAL SECURITY IN 2022
How problematic are the connectivity and
scalability of your organization’s IIoT/OT networks?
(n=800)
Connectivity: Combination of
very and fairly problematic
Scalability: Combination of
very and fairly problematic
72%
Wholesale
Telecommunications
Retail
35%
Telecommunications
45%
Mining and metals
Biotechnology, chemicals, and pharmaceuticals
Agriculture, forestry,
and fishing
Distribution and transportation
53%
Central, federal, and local gov
Biotechnology, chemicals, and pharmaceuticals
64%
Overall, 58% of respondents say the scalability of their organization’s IIoT/
OT network is very or fairly problematic. 56% say the same when it comes
to connectivity. Some industries, such as healthcare and wholesale, are
19
| Barracuda • THE STATE OF INDUSTRIAL SECURITY IN 2022
53%
58%
69%
57%
Energy, power generation, and utilities
36%
experiencing more challenges with connectivity and scalability.
67%
Healthcare (public and private)
61%
58%
48%
Manufacturing
55%
Energy, power generation, and utilities
Central, federal, and local gov
Mining and metals
61%
Healthcare (public and private)
34%
Oil and gas
47%
Manufacturing
Distribution and transportation
Retail
65%
Oil and gas
67%
Wholesale
Agriculture, forestry,
and fishing
40%
53%
62%
66%
FINDING #5
Infrastructure is at risk
When infrastructure is hit by an attack,
it is essential to stop lateral movement.
Micro-segmentation is the best practice to mitigate the impact
incidents in the first place is to keep the infrastructure and
of an incident. That way, potentially vulnerable devices on
devices fully patched and up to date. So, we also inquired
the network can be isolated from the rest, and only legitimate
about the frequency of updates applied to OT and IIoT devices.
network traffic is permitted.
How is/will your organization’s network
be segmented?
(n=796)
0%
20%
How often are security updates for your
organization’s IIoT/OT devices applied?
40%
60%
43%
Segmentation between IT and OT
(n=800)
21%
Daily
34%
Weekly
Segmentation according to Purdue
model within the OT network or similar
Micro-segmentation of single machines
or small groups of machines on
separate network segments
51%
16%
Quarterly
6%
Every six months
Every nine months
Looking at how organizations segment their networks, only
between IT and OT. That basic segmentation is usually the first
step, but security should be improved further by introducing
additional segmentation on the OT network. That is necessary
to combat threats on the local network, such as malicious
media devices and compromised remote access. 51% have
done that by creating network segments according to the
Purdue model — a common reference architecture — or similar
means. Only 6% have taken the further step of implementing
micro-segmentation, providing the best possible protection by
isolating each single device or small groups of devices.
Besides micro-segmentation, one of the most important
mechanisms to reduce the attack vector and avoid security
| Barracuda • THE STATE OF INDUSTRIAL SECURITY IN 2022
5%
2%
Average numer of months
security updates are applied
43% of organizations have implemented segmentation
20
23%
Monthly
Central, federal, and local gov
0.44
Manufacturing
0.82
Distribution and transportation
0.85
Wholesale
0.91
Retail
0.96
Healthcare (public and private)
1.12
Oil and gas
1.16
Energy, power generation, and utilities
1.18
Telecommunications
Mining and metals
1.44
1.66
Agriculture, forestry, and fishing
1.76
Biotechnology, chemicals, and pharmaceuticals
1.77
On average, security updates are applied every 1.25
in the last 12 months. Nearly one-quarter apply updates
months. Those in government are doing this most often,
monthly. Only 6% apply updates every six to nine months.
around twice a month on average. This higher frequency
It appears that in many cases, updates are reactionary after
could be explained by the fact that they are one of the
an incident, as opposed to proactively preventing them.
most likely sectors to have experienced security incidents
Average number of months organizations apply security updates to IIoT/OT devices
Device manufacturer applies
the security update
Security updates of IIoT/OT devices are not
manual at all — updates are applied automatically
1.13
The organization applies the
security update themselves
1.29
Security updates of IIoT/OT devices are
completely manual — none are automatic
Third-party service provider
applies the security update
1.30
Security updates of IIoT/OT devices are
somewhat manual / somewhat automatic
0.69
1.26
1.45
The frequency of these updates varies depending on who
For around two-thirds of respondents, security updates are
applies the update and if the updates are automatic or manual.
applied to these devices through a third-party service provider or
a device manufacturer. Just less than half of organizations handle
updates themselves.
How are the security updates for your organization’s IIoT/OT devices applied?
(n=800)
100%
75%
80%
60%
40%
40%
51% 54%
78%
64%
53%
70%
52%
20%
0%
We handle this ourselves
It’s not manual at all — updates are applied automatically
Device manufacturer
Third-party service provider
It’s somewhat manual/somewhat automatic
It’s completely manual — none are automatic
Automation is higher when updates are managed externally, which is one of the primary benefits of doing
so. There is demonstrated value in having a third party manage updates, as they tend to be performed
automatically. Internally, updates tend to be handled manually.
21
| Barracuda • THE STATE OF INDUSTRIAL SECURITY IN 2022
Agriculture, forestry, and fishing
Biotechnology, chemicals, and pharmaceuticals
10%
78%
6%
82%
53%
47%
Distribution and transportation
17%
63%
15%
36%
Manufacturing
56%
16%
8%
60%
20%
35%
58%
28%
Telecommunications
Security updates of IIoT/OT devices are not manual
at all — updates are applied automatically
8%
59%
36%
Wholesale
8%
76%
20%
Retail
7%
69%
22%
Oil and gas
9%
47%
14%
Healthcare (public and private)
Mining and metals
11%
38%
Central, federal, and local gov
Energy, power generation, and utilities
12%
13%
52%
Security updates of IIoT/OT devices are
somewhat manual/somewhat automatic
12%
Security updates of IIoT/OT devices are
completely manual — none are automatic
The level of automation varies across the different verticals. In energy, power, and
utilities, 86% of organizations are using a partially manual process, leaving themselves
exposed to the risk of breach if not done regularly or correctly.
The degree of update automation clearly has a relation to the severity of incidents,
showing that frequent updates help to defend against cyberattacks.
Incidents resulting in complete shutdown
20%
18%
15%
12%
10%
6%
5%
0%
Completely manual updates
Somewhat manual updates
Completely automatic updates
For those applying updates manually, nearly one-fifth said the most significant security incident led to a
complete shutdown of all devices and locations. It’s clear that the level of automation plays a major part
in the impact security incidents have on organizations. Where security updates are applied automatically,
just 6% experienced a complete shutdown of all devices and locations following an incident.
22
| Barracuda • THE STATE OF INDUSTRIAL SECURITY IN 2022
FINDING #6
Remote access
security requires
immediate attention
Virtually all organizations allow both internal and
external users to access OT environments remotely.
The frequent usage of remote access mechanisms
requires robust security and authentication measures.
Does your organization allow remote access into
OT environments?
(n=800)
59%
Internal users
51%
External users
25%
27%
2%
14%
18%
2%
1%
Yes, full network access and multifactor authentication is required
Yes, full network access and multifactor authentication is not required
Yes, partial network access (to certain systems only) and multifactor authentication is required
Yes, partial network access (to certain systems only) and multifactor authentication is not required
No, no remote access at all
The majority allow full network access, but around a quarter of this group report that multifactor
authentication (MFA) is not required. Only 18% of companies restrict network access and enforce MFA
when it comes to remote access into OT networks. Given the sensitive nature of these environments,
organizations should be taking every precaution necessary to keep them as secure as possible.
23
| Barracuda • THE STATE OF INDUSTRIAL SECURITY IN 2022
Remote access for internal users
39%
Agriculture, forestry, and fishing
41%
46%
Biotechnology, chemicals, and pharmaceuticals
19%
33%
16%
76%
Central, federal, and local gov
16%
Healthcare (public and private)
Manufacturing
24%
62%
28%
61%
29%
47%
Mining and metals
9%
10%
73%
Retail
24%
47%
24%
10%
15%
29%
Yes, full network access and multifactor authentication is not required
Yes, partial network access (to certain systems only) and multifactor authentication is required
Yes, partial network access (to certain systems only) and multifactor authentication is not required
Across the different sectors, most internal users have
environments remotely without using MFA. This might be
full network access, but MFA is not as widespread. In
because they are further behind on their IIoT/OT projects.
biotechnology, chemicals, and pharmaceuticals, for example,
This is an area that these organizations need to be aware
a third of respondents said internal users can access OT
of, given the implications if their devices are compromised.
| Barracuda • THE STATE OF INDUSTRIAL SECURITY IN 2022
3%
10%
Yes, full network access and multifactor authentication is required
24
2%
1%
5%
18%
60%
Wholesale
9%
18%
77%
Telecommunications
7%
29%
Oil and gas
11%
20%
69%
Energy, power generation, and utilities
5%
13%
64%
Distribution and transportation
2%
1%
Remote access for external users
36%
Agriculture, forestry, and fishing
29%
36%
49%
Biotechnology, chemicals, and pharmaceuticals
31%
56%
Central, federal, and local gov
Distribution and transportation
38%
Energy, power generation, and utilities
38%
33%
16%
40%
61%
Mining and metals
61%
Retail
60%
Telecommunications
59%
16%
4%
1%
13%
16%
8%
23%
18%
18%
15%
53%
2%
25%
25%
52%
Wholesale
15%
31%
Manufacturing
Oil and gas
9%
47%
45%
Healthcare (public and private)
1%
3%
2%
16%
20%
23%
33%
5%
2%
10%
3%
2%
1%
3%
Yes, full network access and multifactor authentication is required
Yes, full network access and multifactor authentication is not required
Yes, partial network access (to certain systems only) and multifactor authentication is required
Yes, partial network access (to certain systems only) and multifactor authentication is not required
No, no remote access at all
Similarly, the majority allow external users full network access to
This situation should never exist in critical sectors and should be
OT environments. The use of MFA to do this is widespread, but it
addressed immediately. As we saw with the attack on Colonial
is severely lacking for some sectors. Energy, power generation,
Pipeline, just one successful remote access attack can have
and utilities is the most likely sector to allow full network access
wide-reaching, catastrophic impacts.
without the requirement of MFA.
The market offers a variety of different remote access
mechanisms, from simple traditional VPN to highly secure
Zero Trust solutions.
25
| Barracuda • THE STATE OF INDUSTRIAL SECURITY IN 2022
Which of the following tools is your organization
using for remote access?
In addition to who can access the network, organizations also
need to consider what users are allowed to do on the network.
(n=800)
0%
Fully implemented Zero Trust
model with commercial zero
trust offering
Basic web-based Zero Trust concept to
RDP/screenshare host, no network access
Web-based access to RDP or other
screen-sharing tools, segmentation
enforced on RDP host via limited
access to resources
10%
20%
30%
40%
50%
1%
1%
Access rights and security policies for single users or user groups
need to be defined.
In your organization, which of the following
access permissions are granted via remote
access for internal and external users?
2%
1%
(n=800)
18%
0%
6%
19%
VPN or SSL-VPN access to other
screen-sharing tools with full access
34%
41%
Direct network-level access via
VPN or SSL-VPN, few or very little
network segmentation
26%
40%
60%
Collecting data for
analytics and maintenance
15%
VPN or SSL-VPN access to RDP
host (Remote Desktop Protocol)
with full access everywhere
20%
36%
External users
Internal users
63%
Applying configuration
changes and updates
56%
Use of specified applications
and protocols only
54%
Privileged access
management is applied
None of these access
permissions are granted
80%
49%
1%
Zero Trust Network Access (ZTNA) is the most secure way to
provide remote access, including granular permissions based
on user id, device id and type, health state, and geographic
location. It’s not one-time access; it’s continuously applied,
and permissions are continually verified. With only 1% of
respondents using ZTNA for either internal or external users,
it’s clearly in its infancy in the OT space. This represents an
easy opportunity for the industry to improve their security
posture quickly when it comes to remote access.
The majority of organizations provide direct network-level
access without further security. All network traffic from remote
connections should run through detailed security inspection and
be limited to specific target systems only. In particular, the use
of screen-sharing tools and remote desktop connections are
often inadvertently bypassing existing security measures in many
cases. Given that compromised remote access is a common
problem, addressing these weaknesses could increase the level
of protection significantly.
26
| Barracuda • THE STATE OF INDUSTRIAL SECURITY IN 2022
There are a range of access permissions granted via remote
access for both internal and external users: collecting data for
analytics and maintenance (63%); applying configuration changes
and updates (56%); use of specified applications and protocols
(54%); privileged access management is applied (49%). Just 1%
say none of these access permissions are granted. If access
to an organization’s OT environment fell into the wrong hands,
especially in a critical sector, the impacts could be detrimental.
Worryingly, over half (57%) of respondents report that external
users who have full network access are able to apply
configuration changes and updates, a very high-risk situation
for a breach.
FINDING #7
Digital transformation
drives new technology
The adoption of the public cloud, software-as-a-service
(SaaS), and secure access service edge (SASE) is changing
the way corporations operate and the network architecture
they require. We wanted to know where businesses are on
this journey to digitalization.
Does your organization plan to utilize a public cloud offering for
digital transformation?
(n=800)
0%
10%
20%
30%
We are already
utilizing a public
cloud offering
40%
36%
We are in the process
of adopting a public
cloud offering
40%
We will be adopting a
public cloud offering
within the next 12 months
We will be adopting a public
cloud offering within the
next 12 to 24 months
20%
4%
Virtually all organizations have committed to the adoption of public cloud. 96% are already using public
cloud, are in the process of adopting a public cloud offering, or have plans to do so in the next 12 months.
However, the level of adoption shows significant differences between industries.
27
| Barracuda • THE STATE OF INDUSTRIAL SECURITY IN 2022
Public cloud adoption by industry
17%
Agriculture, forestry, and fishing
Biotechnology, chemicals, and pharmaceuticals
53%
15%
61%
23%
60%
Central, federal, and local gov
9%
49%
Distribution and transportation
28%
32%
38%
20%
50%
Retail
38%
56%
Telecommunications
14%
43%
We are in the process of adopting a public cloud offering
We will be adopting a public cloud offering within the next 24 months
We will be adopting a public cloud offering but not in the next 24 months
We currently have no plans to adopt a public cloud offering
The adoption of public cloud is widespread in some industries but still being worked on in others.
Interestingly, in the government sector, where the use of IIoT tends to be for managing critical
infrastructure, the use of public cloud is very high at 60%. On the other end of the spectrum are
the healthcare; mining and metals; agriculture, forestry, and fishing; biotechnology, chemicals, and
pharmaceuticals; and wholesale verticals, all with an adoption rate below 30%.
Public cloud is not a security risk. In general, companies using public cloud seem to be more willing
to adopt technology and invest in security. The same group is also seen adopting edge computing
more often, and public cloud appears to be a driver for that technology. So, we wanted to know if
28
| Barracuda • THE STATE OF INDUSTRIAL SECURITY IN 2022
13%
22%
We are already utilizing a public cloud offering
this is in fact the case.
2%
16%
45%
42%
Oil and gas
2%
15%
50%
24%
Mining and metals
16%
43%
34%
Manufacturing
2%
31%
28%
Healthcare (public and private)
1%
29%
33%
54%
Energy, power generation, and utilities
Wholesale
31%
21%
43%
1%
To what extent has your organization adopted edge computing?
(n=800)
We are already utilizing
a public cloud offering
67%
We are in the process of
adopting a public cloud offering
23%
19%
We will be adopting a public cloud
offering within the next 12 months
65%
8%
We will be adopting public cloud
offering later or have no plans to adopt
16%
38%
6%
We have fully adopted edge computing
7%
48%
31%
43%
11%
6%
We currently have no plans to adopt edge computing
Don’t know
Edge computing is considered an important part of an organization’s setup by the vast majority of
respondents and will likely continue to gain in popularity in the future.
Over two-fifths of respondents say their organization is in the process of adopting edge computing.
About one-third say edge computing has been fully adopted. About one-quarter say their organization
will be adopting edge computing within the next 12 to 24 months. Based on the data, it’s clear edge
computing helps businesses take advantage of public cloud, with adoption among those who are
already utilizing a public cloud offering reaching 67%.
Looking at the popular IoT edge platforms, Google IoT Edge, AWS Greengrass, and Azure IoT Edge
are the most likely edge computing tools being considered, according to respondents.
Which of the following benefits has/do you think your organization
would gain by adopting always connected IIoT?
(n=800)
42%
Improved
product
quality
29
39%
Improving
asset/device
management
39%
Increased
agility
38%
Competitive
advantages
| Barracuda • THE STATE OF INDUSTRIAL SECURITY IN 2022
37%
Optimized/
simplified
maintenance
36%
Optimize
equipment
effectiveness
1%
1%
1%
3%
We will be adopting edge computing within the next 12 months
We are in the process of adopting edge computing
We will be adopting edge computing in 12 to 24 months
4%
3%
34%
Improving
decisionmaking
34%
Reduce
production
cost
29%
29%
Reduce
CO2
emission
Real-time
monitoring
and control
When asked about the importance of digitalization in general, there is overwhelming
agreement from respondents when it comes to three items:
• Always connected IIoT/OT is viewed as competitive assets for organizations
• Edge computing is considered an important part of an organization’s setup
• Organizations need to invest more in the security of IIoT and OT
In more detail, improving product quality, asset/device management, and agility were
cited as top benefits of always connected IIoT.
Our final question in this survey was about the most important use cases for future
digitalization projects.
Which of the following would your organization consider when
digitally transforming your organization?
(n=800)
52%
52%
Artifical Intelligence/
machine learning
Data normalization
and aggregation
50%
33%
Predictive/
pre-emptive
maintenance
Product
customization/
lot size 1
Looking forward to the adoption of additional technologies, organizations are
considering a number of solutions and strategies, including the use of AI/ML
and better data management.
30
| Barracuda • THE STATE OF INDUSTRIAL SECURITY IN 2022
50%
Remote condition
monitoring of assets
27%
Digital twin
Conclusion
In today’s uncertain geopolitical environment, people and
Fortunately, effective solutions to IIoT security challenges are
organizations are highly concerned with potential cyberattacks.
available, including secure endpoint connectivity devices and
The most concerning are possible attacks on critical infrastructure
ruggedized network firewalls, all centrally deployed and managed
and industrial assets. Unfortunately, IIoT/OT security currently
via a secure cloud service. These solutions can enable effective
requires a lot of improvement.
network segmentation and advanced threat protection, provide
multifactor authentication, and even implement Zero Trust Access.
This report shows nearly all — 94% — of organizations have
In addition, web application firewall services can be deployed to
experienced at least one security incident, which likely impacted
protect the infrastructure from web application and DDoS attacks.
their industrial IoT infrastructure. These incidents had significant
impact on organizations, with 87% of them reporting their
operations were impacted for one day or more. The incidents
involved a wide range of attacks, with web application, malicious
external hardware/removable media, and distributed denial of
service attacks being the most frequent.
The good news is the majority of organizations are already
implementing or planning IIoT/OT security projects. Even better
news is organizations that didn’t experience an impact are
more likely to have already completed some IIoT/OT security
projects, so these projects seem to be effective. There are
many challenges, however, in successfully implementing IIoT/
OT security, including long implementation times and high
costs. In fact, 93% of organizations had a failed project on their
journey to IIoT/OT security.
Some of the areas that require attention are the lack of network
segmentation, reactive rather than proactive security updates,
and insufficient automation. One area that requires urgent
attention is remote access security. While most organizations
allow both internal and external users access to their OT
environments, roughly a quarter are not requiring multifactor
authentication, leaving organizations wide open to attacks.
31
| Barracuda • THE STATE OF INDUSTRIAL SECURITY IN 2022
Nearly all — 94% — of
organizations have
experienced at least
one security incident,
which likely impacted
their industrial
IoT infrastructure.
These incidents had
significant impact on
organizations, with
87% of them reporting
their operations were
impacted for one day
or more.
