The State of Industrial Security 2022

The State of Industrial Security 2022

Loading

The State of Industrial Security 2022

Industrial security: Challenges and opportunities Security for the industrial internet of things (IIoT) and operational technology (OT) is in its infancy in many organizations. Several
factors — including security incidents — are driving awareness and
improvements. There’s certainly plenty of room for both, considering
more than 90% of organizations surveyed acknowledged experiencing
a security incident in the last 12 months.

From web application attacks to distributed denial-of-service (DDoS)
attacks and everything in between, global businesses are dealing with
a wide range of potential cybersecurity risks. In addition, respondents
are also concerned about the impact that the current threat landscape
and geopolitical situation could have on their organizations. While that
largely sits outside an organization’s control, it impacts them in some
shape or form and is a concern.

3

| Barracuda • THE STATE OF INDUSTRIAL SECURITY IN 2022

Security threats are rife, and organizations should
be protecting themselves, especially those in
the critical sectors, such as oil and gas. Just one

Methodology

successful supply-chain attack can have wide-

Barracuda commissioned independent

reaching, catastrophic impacts. Indeed, the high

market researcher Vanson Bourne to

level of incidents underscores the vital need

conduct a global survey of senior IT

for IIoT/OT security to adequately protect all

managers, senior IT security managers,

organizations, in every sector.

and project managers responsible for

This report takes an in-depth look at IIoT/OT
security projects, implementation challenges,
security incidents, technology investments, and
a variety of issues related to cybersecurity risks.

IIoT/OT in their organization. There were
800 survey participants from a broad
range of industries, including agriculture,
biotechnology, construction, energy,
government, healthcare, manufacturing,
retail, telecommunications, wholesale,
and others. Survey participants were
from the U.S., Europe, and Australia.
In Europe, respondents were from the
United Kingdom, France, Germany, Austria,
Switzerland, Belgium, the Netherlands,
Luxembourg, Denmark, Finland, Norway,
and Sweden. The survey was fielded in
April 2022.

4

| Barracuda • THE STATE OF INDUSTRIAL SECURITY IN 2022

FINDING #1

Most organizations
have experienced
security incidents
Initially, we asked respondents about their general feelings and
concerns about the threat landscape to get an indication of how
much awareness this topic gets and to help put the rest of their
responses in context.
How concerned are you about the current threat
landscape and geopolitical situation in terms of the
impact it may have on your organization?

Respondents from the U.S. and Australia are most likely to be

(n=800)

region but also by industry.

very concerned, while respondents from France are the least
likely to be concerned. The level of concern not only varies by
2%

41%

10%

2%

20%

4%
28%

3%

Central,
federal, and
local gov

3%
Fairly concerned
Very concerned

60%

28%

38%

40%

60%

52%

50%

Telecom

Retail

Oil and gas

Wholesale

2%

3%

13%

4%

56%

1%
14%

9%

Not very concerned
Not concerned at all

68%

10%

10%

%
47
78%

10%

42%

43%
Energy, power
generation,
and utilities

3% 5%

21%
65%

26%
29%

55%

71%

Overall, respondents are concerned about the impact that the
current threat landscape and geopolitical situation will have on

37%

their organizations, with 88% very or fairly concerned. While the
current threat landscape and geopolitical situation is something
that largely sits outside an organization’s control, it impacts
them in some shape or form and is a concern for organizations.

5

| Barracuda • THE STATE OF INDUSTRIAL SECURITY IN 2022

Manufacturing

33%

32%

32%

Distribution
and
transportation

Healthcare
(public & private)

Mining and
metals

20%

20%

Biotechnolgy,
chemicals, and
pharmaceuticals

Agriculture,
forestry, and
fishing

Very concerned

Fairly concerned

Not very concerned

Not concerned at all

5.38%

Understandably, concern is more prevalent in sectors likely to

By industry

feel the effects of the current threat and geopolitical landscape.
Government respondents are the most likely to be very
concerned. The overall level of concern, when looking at those
who are both very and fairly concerned, is also high among other

Central, federal,
and local gov

100%

Mining and metals

100%

Oil and gas

100%

critical sectors, including oil and gas and healthcare. Critical
sectors will be on high alert during periods of uncertainty, as any
impacts could have wide-reaching implications.
Telecommunications

99%

Agriculture, forestry,
and fishing

98%

Wholesale

98%

Manufacturing

98%

Next, we wanted to better understand the security situation in
industrial environments.

Has your organization experienced a security
incident in the last 12 months?
(n=800)

5.38%

0.2
5%

Distribution and
transportation

96%

Healthcare (public
and private)

94%

Retail

93%

Energy, power
generation, and utilities

85%

Biotechnology, chemicals,
and pharmaceuticals

9 4.3 8

%

Experienced an incident

82%
By geography

99%

U.S.

Has not experienced any incidents

98%

UK
Don’t know

Most organizations (94%) have experienced some sort of security
incident in the last 12 months, which is a surprising and alarmingly
high number.
Looking at the detailed results by region and industry,
this appears to be a general problem.

Nordics

92%

DACH

92%

Australia

France

6

| Barracuda • THE STATE OF INDUSTRIAL SECURITY IN 2022

97%

Benelux

90%
89%

All government, mining and metals, and oil and gas respondents

Because so many organizations have been hit by a security

say they’ve experienced at least one incident. Given the critical

incident, we wanted to know more details, especially about the

nature of some of these sectors, it’s essential they bolster security

impact and duration of these incidents.

to avoid disastrous impacts.

How long were your organization’s operations impacted due to the most
significant security incident experienced in the last 12 months?
(n=715)

43%

22%

19%

13%

Operations were impacted
for less than a day

Operations were
impacted for 1 day

Operations were
impacted for 2 days

Operations were
impacted for 3 days

2%

1%

Operations were
impacted for 4 days

Operations were
impacted for 5 days

87% of organizations that experienced an incident were impacted between one and five days.
On average, it took organizations 1.84 days to resolve the issue. Looking at the provided
severity of the impact of those incidents explains why it took so much time to remediate.

Q: What impact did the most significant security incident experienced
in the last 12 months have on your organization’s operations?
(n=755)
Impact average days

11%

Total
UK
France

9%

Nordic
Australia
U.S.

7

36%

39%

4%

10%

2%

48%

20%

7%

42%
49%

7%

34%
9%

46%
16%

29%
38%

48%

31%

5%

1.72
1.91

2%
9%

1.71
1.81

4%

31%

62%

8%

1.84

5%

50%

40%

DACH
Benelux

47%

1.63
1.87
2.05

Significant impact (complete shutdown of all devices and locations)

Moderate impact (a large number of devices or several locations were impacted)

Minimal impact (a few devices or one location was impacted)

No impact was experienced

| Barracuda • THE STATE OF INDUSTRIAL SECURITY IN 2022

Those in the DACH region (Germany, Austria, and Switzerland) and those in the U.S. were
more likely to experience significant impacts from their most significant security incident in
the last 12 months. Those in the U.S. were impacted for an average of just over two days.
Experiencing a complete shutdown of all devices and locations for this length of time can
have catastrophic implications for organizations, and it’s a situation that can be avoided by
making relatively modest investments in security.
Impact average days
Agriculture, forestry, and fishing
Biotechnology, chemicals, and pharmaceuticals

9%
12%

Energy, power generation, and utilities
Healthcare (public and private)

5%
15%
11%

Manufacturing

8%

Mining and metals

8%

48%
56%

9%

56%

37%

33%

49%

44%

Telecommunications

11%

38%

Wholesale

11%

37%
45%
31%
68%

51%

Retail

1.91

3%

1.63

4%

1.73

2%

2.06

3%

1.81
1.94

32%

53%
35%

3%

44%

58%

13%

Oil and gas

28%

36%
31%

Central, federal, and local gov
Distribution and transportation

60%

16%
41%

3%

1.88

3%

1.78

7%

1.79

20%

1.85

5%

2.18

5%

1.54

3%
Significant impact (complete shutdown of all devices and locations)

Moderate impact (a large number of devices or several locations were impacted)

Minimal impact (a few devices or one location was impacted)

No impact was experienced

When combining significant and moderate impacts, the scale of these incidents demonstrates
how some organizations have been struggling.
While government organizations are still the most likely to have experienced a significant or
moderate impact, those in wholesale; and agriculture, forestry, and fishing also have over
two-thirds of respondents reporting the same. Given the impacts include a complete shutdown
or many devices being impacted, organizations cannot afford to become complacent in
this area.

8

| Barracuda • THE STATE OF INDUSTRIAL SECURITY IN 2022

FINDING #2

The most common
attack vectors
To get the next level of detail around security incidents that have
significantly impacted operations, we asked respondents about the
attack types their organization has experienced in the past year.
Which of the following security incidents has your
organization experienced in the last 12 months?

The most common incidents were web application attacks,

(n=800)

compromised remote access.
42%

Web application attacks
Malicious external hardware or removable media
Distributed denial of service (DDoS)

9

37%

never be exposed. The issues with malicious external hardware

Compromised supply chain

34%

Data theft

31%

API attacks

31%

Ransomware

31%

| Barracuda • THE STATE OF INDUSTRIAL SECURITY IN 2022

future, as automation increases, APIs will be a bigger target
for attacks. APIs and management interfaces, which are not

35%

24%

Web applications and APIs are popular attack vectors. In the

38%

Compromised remote access

Other malware

malicious external hardware or removable media, DDoS, and

intended for public access, need robust protection and should
and removable media, like USB sticks, were ranked surprisingly
high. IoT/OT environments require temporary third-party access
for maintenance as well as troubleshooting. The high ranking of
compromised remote access shows the urgency for getting this
fixed.
Another finding was that organizations with more devices
experience more attacks, especially in the top attack categories.
Interestingly, ransomware attacks are more evenly distributed
across organizations with differing numbers of devices.

Security incidents experienced in the organization in the last 12 months
80%

40%

65%

63%

60%

29%

34%

40%

51% 48%

58%

49% 48%
27% 24%

34%
24%

33% 35%

44% 45%

20%
0%
Web application attacks

Malicious external hardware or removable media

Distributed denial of service (DDoS)

80%
60%

46%
40%

30% 29% 31%

56%

52%

35%

26% 26%

36% 37% 33%

31%

36%

30% 27% 32%
25%

20%
0%
Compromised remote access

Compromised supply chain

Ransomware

1–2,000 IIoT/OT devices or cyber-physical systems

2,001–3,000 IIoT/OT devices or cyber-physical systems

3,001–4,000 IIoT/OT devices or cyber-physical systems

4,001–5,000 IIoT/OT devices or cyber-physical systems

5,001–6,000 IIoT/OT devices or cyber-physical systems

6,001 or more IIoT/OT devices or cyber-physical systems

The high level of incidents underscores the vital need for IIoT/OT

In some critical sectors, organizations experienced fewer

security to adequately protect all organizations. This is probably

incidents. In biotechnology, chemicals, and pharmaceuticals,

why 96% agree their organization needs to invest more in the

nearly 20% had no incidents in the last 12 months. In energy,

security of IIoT and OT.

power, and utilities, 15% had no incidents in the last 12 months.
Overall, we see significant differences in both probability and
attack vector across different industry verticals.

10

| Barracuda • THE STATE OF INDUSTRIAL SECURITY IN 2022

Security incidents experienced in the organization in the last 12 months
60%

47%
36%

40%

51%
40%

31%

43%

57%

49%

47%

38%

38%

44%

20%
0%
Web application attacks
60%

37%

40%

31%

40%

46%

40%
29%

55%

53%
40%

35%

33%

41%

20%
0%
Malicious external hardware or removable media
60%

53%

40%

32%

28%

36%
22%

31%

47%

37%

45%

38%

35%
20%

20%
0%
Compromised remote access
60%
40%

22%

27%

27%

45%

36%
26%

39%

29%

27%

20%

33%

31%
21%

0%
Compromised supply chain

11

Agriculture, forestry, and fishing

Biotechnology, chemicals, and pharmaceuticals

Central, federal, and local gov

Distribution and transportation

Energy, power generation, and utilities

Healthcare (public and private)

Manufacturing

Mining and metals

Oil and gas

Retail

Telecommunications

Wholesale

| Barracuda • THE STATE OF INDUSTRIAL SECURITY IN 2022

FINDING #3

Organizations are
investing in security
To put the rather frightening results of the security incidents and
successful attacks into perspective, we asked respondents how
far their organization’s operational technology and industrial IoT
security projects had progressed.
What stage is your organization at when it comes to IIoT/OT security projects?
(n=800)

32%

Total

40%
50%

Oil and gas
Telecommunications

48%

Energy, power generation, and utilities

46%

Retail

45%

Government

44%

10%

17%

Healthcare

17%

Distribution and transportation

40%

4%
21%

3%

24%
54%
30%

36%

33%
48%

We will be starting an IIoT/OT security
project in the next 6 months

We will be starting an IIoT/OT security
project in the next 12 months

12%
15%

44%

We are in the process of completing
IIoT/OT security projects

3%

27%

34%

38%

3%
6%

6%
13%

24%

We have already completed
some IIoT/OT security projects

| Barracuda • THE STATE OF INDUSTRIAL SECURITY IN 2022

7%

10%

54%

Wholesale

1%
2%

20%

35%

21%

Biotechnology, chemicals, and pharmaceuticals

6%
17%

26%

24%

Manufacturing

12

32%

42%

Mining and metals
Agriculture, forestry, and fishing

21%

1%

5%

1%

12%
25%

47%

5%

2%

11%
11%

We will be starting an IIoT/OT security
project in the next 3 months

2%
2%

Organizations are facing a multitude of hurdles when it comes to IIoT/OT security
projects, leaving their networks and infrastructure open to the risks of security
incidents. Many organizations are in their infancy when it comes to IIoT/OT security
projects. Overall, while 72% are at least in the process of completing these projects,
only just under a third have already done so.
Oil and gas are the furthest ahead when it comes to completing some IIoT/OT
security projects. Agriculture, forestry, and fishing are much less likely to have done
this. In biotechnology, chemicals, and pharmaceuticals, only a fifth of respondents
have completed projects. Manufacturing and healthcare are also among the lowest.
Given the impacts if some of their devices are hacked, it should be a larger focus for
all sectors.
We thought it would be interesting to analyze the state of IIoT/OT security projects
not just by vertical, but also by the size of the organization.
48%

50%

39%

40%
30%

34% 32%

37% 39%
31%

27%

22% 23%

20%

23%
17%

10%

2%

0%
We have already
completed some IIoT/OT
security projects
500–999 employees

We are in the process
of completing IIoT/OT
security projects

We will be starting an
IIoT/OT security project
in the next 3 months

1,000–2,999 employees

6%

10%
4%

We will be starting an
IIoT/OT security project
in the next 6 months

3,000–4,999 employees

0% 0% 1%

2%

We will be starting an
IIoT/OT security project
in the next 12 months

5,000 or more employees

Analyzing the state of IIoT/OT security projects when grouping

We also wanted to know if organizations implement IIoT/OT

organizations by the number of employees, apparently

security on their own or if they work with external experts on

enterprises with more than 5,000 employees are more likely to

these types of projects.

have completed projects already, whereas the majority of small
companies are still working on it.

13

| Barracuda • THE STATE OF INDUSTRIAL SECURITY IN 2022

Did your organization consult an external security
specialist when developing its current IIoT/OT strategy?
(n=800)

71%

66%
49%

Combination of “We consulted an external
OT security specialist” and “We consulted
an external IT security specialist”

45%

Combination of “We consulted an
external IT security specialist” and
“We worked with an in-house team”

31%

Combination of “We consulted an
external OT security specialist” and
“We worked with an in-house team”

We consulted an external
IT security specialist

We consulted an external
OT security specialist

We worked with
an in-house team

Combination of “We consulted an external
OT security specialist” and “We consulted
an external IT security specialist” and “We
worked with an in-house team”

Organizations are more likely to be looking to both external IT and OT security
specialists when developing their current IIoT/OT security strategies, rather than
just relying on their in-house teams. The majority sought external help to develop
their IIOT/OT security strategies.

14

| Barracuda • THE STATE OF INDUSTRIAL SECURITY IN 2022

28%

18%

FINDING #4

Security measures
do help
Next, we’ll be reviewing to what extent industrial security projects
mitigate the risks implied by the ever-evolving threat landscape.
To highlight the requirement for security, we compared the state
of IIoT/OT security projects with the most significant impact
experienced after an incident.
What impact did the most significant security incident experienced
in the last 12 months have on your organization’s operations?
(n=755)

Significant impact (complete shutdown of all devices and locations)
Moderate impact (a large number of devices or several locations were impacted)
Minimal impact (a few devices or one location was impacted)
No impact was experienced

We have already completed some IIoT/OT security projects

38%

30%

30%
32%

41%

27%
36%

42%
75%

We are in the process of completing IIoT/OT security projects

23%
8%

18%

We will be starting an IIoT/OT security project

Investments in security are paying off for organizations

There are a variety of different technologies available,

by reducing the impact of incidents when they happen.

though, so we also wanted to know which security measures

Organizations that have already completed some IIoT/OT

organizations have implemented and how it improved their

security projects are more likely to not experience an impact.

IIoT/OT security posture.

15

| Barracuda • THE STATE OF INDUSTRIAL SECURITY IN 2022

“We have already implemented the below technologies”
100%

98%

95%
75%

80%

66% 70%

93%

84%
68%

76%

79%

68%

80%

75%

60%

69% 64%

79%

90%
73%

72%

64%

90%
77%

67% 72%

88%
79%

69% 72%

40%
20%
0%
Industrial protocol detection
and enforcement

Antivirus or IPS

No impact was experienced

Segmentation

Web application firewall (WAF)

Minimal impact

Moderate impact

Anomaly detection

Advanced Threat Protection

Network traffic encryption

Significant impact

All these technologies are valuable in reducing impacts, especially industrial protocol detection
and enforcement and anti-virus/IPS.
Overall, out of respondents that already implemented IIoT/OT security and think it works well,
enterprise organizations represent the majority, and it seems smaller businesses have made less
progress in implementing their security strategy. There is a clearly visible relation between the
implementation status of security measures and the size of the organization.

Already implemented and works well
50%
40%
30%

27%

34% 36%

42%
31%

35%

42% 41%

40%

46%

39%

48%

42%

35%
25% 25%

39%

48%

43%

29% 27%

40%
24%

27%

39%
26%

43%

31%

20%
10%
0%
Industrial protocol detection
and enforcement
500–999 employees

Antivirus or IPS

Web application firewall (WAF)

1,000–2,999 employees

Segmentation

3,000–4,999 employees

Anomaly detection

5,000 or more employees

Security and technology adoption is generally higher in enterprise organizations, and the
largest organizations are successfully implementing more advanced security technologies.
However, organizations still face a variety of challenges when it comes to implementing IoT
security projects, which is perhaps why so many have had projects fail.

16

| Barracuda • THE STATE OF INDUSTRIAL SECURITY IN 2022

Advanced Threat Protection

Network traffic encryption

Why, if at all, have any previous IIoT/OT security
projects failed within your organization?

60%

48%

(n=755)

60%
40%
0%

20%

40%

60%

80%

57%
39%

57%
48% 31% 31%

100%

31%

31% 31%

93%

25%
25%

0%
20%

The technology took
too long to implement

55%

The technology
was too expensive

41%

No one in the organization took
clear responsibility for the project

39%

We couldn’t source technology
that met our needs
We’ve not had any IIoT/OT
security projects fail

31%

47%
39%

40%
20%
Have had IIoT/OT
security projects fail

47%

500–999 employees

0%
60%

60%
40%

38%
7%

40%
20%

60%
50% 50%
500–999 employees
60% 41%
50% 50%

1,000–2,999 employees

55%

1,000–2,999 employees
48%

45%

55%

29%

41%

45%

48%

29%

0%
20%
3,000–4,999 employees

93% had a failed project, due to a variety of challenges related
to technology and costs. The top challenge, according to more
than half of the respondents, was that implementation took too

0%

5,000 or more employees

The technology took too long to implement
3,000–4,999 employees
5,000 or more employees
The technology was too expensive

long. Costs have also held back organizations; 41% of those

No one in the organization took clear
The technology took too long to implement
responsibility for the project

with failed projects said the technology was too expensive.

We couldn’t
source
that met our needs
The
technology
wastechnology
too expensive

Organizations are in dire need of a streamlined, simple, and

No one in the organization took clear
responsibility for the project

cost-effective approach to manage and run their IIoT/OT security
projects, to help reduce the risk of impact from security incidents.
Reasons for failed projects vary depending on the size of
the organization.

We couldn’t source technology that met our needs

Cost is less of a problem for large organizations. Instead,
responsibility and technological requirements are the most
common problems for these organizations.

17

| Barracuda • THE STATE OF INDUSTRIAL SECURITY IN 2022

In addition to the challenges they actually faced, organizations have
and expect to face a variety of implementation challenges when it
comes to IoT security projects.

Which of the following challenges did/do you think
your organization would/will face when implementing
IIoT/OT security projects?
(n=793)

Scalability of the solution

39%

The level of security provided by the solution

39%

Lack of control over external devices joining the network

36%

Challenges of a distributed environment

36%

The time it takes to implement the project

35%

Dealing with a number of different vendors

34%

Lack of technical knowledge

34%
32%

Dealing with legacy infrastructure
The cost of the project

27%

Nearly all respondents say their organization has or expects to face
challenges when implementing IIoT/OT security projects, including
scalability, security, technical knowledge, and cost.
39% of respondents stated that scalability of the solution is
a main concern, so we did a deeper analysis by vertical.

18

| Barracuda • THE STATE OF INDUSTRIAL SECURITY IN 2022

How problematic are the connectivity and
scalability of your organization’s IIoT/OT networks?
(n=800)

Connectivity: Combination of
very and fairly problematic

Scalability: Combination of
very and fairly problematic

72%

Wholesale
Telecommunications
Retail

35%

Telecommunications

45%

Mining and metals

Biotechnology, chemicals, and pharmaceuticals
Agriculture, forestry,
and fishing

Distribution and transportation

53%

Central, federal, and local gov
Biotechnology, chemicals, and pharmaceuticals

64%

Overall, 58% of respondents say the scalability of their organization’s IIoT/
OT network is very or fairly problematic. 56% say the same when it comes
to connectivity. Some industries, such as healthcare and wholesale, are

19

| Barracuda • THE STATE OF INDUSTRIAL SECURITY IN 2022

53%
58%
69%
57%

Energy, power generation, and utilities

36%

experiencing more challenges with connectivity and scalability.

67%

Healthcare (public and private)

61%

58%

48%

Manufacturing

55%

Energy, power generation, and utilities

Central, federal, and local gov

Mining and metals

61%

Healthcare (public and private)

34%

Oil and gas

47%

Manufacturing

Distribution and transportation

Retail

65%

Oil and gas

67%

Wholesale

Agriculture, forestry,
and fishing

40%
53%
62%
66%

FINDING #5

Infrastructure is at risk
When infrastructure is hit by an attack,
it is essential to stop lateral movement.
Micro-segmentation is the best practice to mitigate the impact

incidents in the first place is to keep the infrastructure and

of an incident. That way, potentially vulnerable devices on

devices fully patched and up to date. So, we also inquired

the network can be isolated from the rest, and only legitimate

about the frequency of updates applied to OT and IIoT devices.

network traffic is permitted.

How is/will your organization’s network
be segmented?
(n=796)

0%

20%

How often are security updates for your
organization’s IIoT/OT devices applied?
40%

60%

43%

Segmentation between IT and OT

(n=800)

21%

Daily

34%

Weekly
Segmentation according to Purdue
model within the OT network or similar
Micro-segmentation of single machines
or small groups of machines on
separate network segments

51%

16%

Quarterly

6%

Every six months
Every nine months

Looking at how organizations segment their networks, only
between IT and OT. That basic segmentation is usually the first
step, but security should be improved further by introducing
additional segmentation on the OT network. That is necessary
to combat threats on the local network, such as malicious
media devices and compromised remote access. 51% have
done that by creating network segments according to the
Purdue model — a common reference architecture — or similar
means. Only 6% have taken the further step of implementing
micro-segmentation, providing the best possible protection by
isolating each single device or small groups of devices.
Besides micro-segmentation, one of the most important
mechanisms to reduce the attack vector and avoid security

| Barracuda • THE STATE OF INDUSTRIAL SECURITY IN 2022

5%
2%
Average numer of months
security updates are applied

43% of organizations have implemented segmentation

20

23%

Monthly

Central, federal, and local gov

0.44

Manufacturing

0.82

Distribution and transportation

0.85

Wholesale

0.91

Retail

0.96

Healthcare (public and private)

1.12

Oil and gas

1.16

Energy, power generation, and utilities

1.18

Telecommunications
Mining and metals

1.44
1.66

Agriculture, forestry, and fishing

1.76

Biotechnology, chemicals, and pharmaceuticals

1.77

On average, security updates are applied every 1.25

in the last 12 months. Nearly one-quarter apply updates

months. Those in government are doing this most often,

monthly. Only 6% apply updates every six to nine months.

around twice a month on average. This higher frequency

It appears that in many cases, updates are reactionary after

could be explained by the fact that they are one of the

an incident, as opposed to proactively preventing them.

most likely sectors to have experienced security incidents

Average number of months organizations apply security updates to IIoT/OT devices
Device manufacturer applies
the security update

Security updates of IIoT/OT devices are not
manual at all — updates are applied automatically

1.13

The organization applies the
security update themselves

1.29

Security updates of IIoT/OT devices are
completely manual — none are automatic

Third-party service provider
applies the security update

1.30

Security updates of IIoT/OT devices are
somewhat manual / somewhat automatic

0.69

1.26

1.45

The frequency of these updates varies depending on who

For around two-thirds of respondents, security updates are

applies the update and if the updates are automatic or manual.

applied to these devices through a third-party service provider or
a device manufacturer. Just less than half of organizations handle
updates themselves.

How are the security updates for your organization’s IIoT/OT devices applied?
(n=800)
100%

75%

80%
60%
40%

40%

51% 54%

78%
64%

53%

70%
52%

20%
0%
We handle this ourselves
It’s not manual at all — updates are applied automatically

Device manufacturer

Third-party service provider

It’s somewhat manual/somewhat automatic

It’s completely manual — none are automatic

Automation is higher when updates are managed externally, which is one of the primary benefits of doing
so. There is demonstrated value in having a third party manage updates, as they tend to be performed
automatically. Internally, updates tend to be handled manually.

21

| Barracuda • THE STATE OF INDUSTRIAL SECURITY IN 2022

Agriculture, forestry, and fishing
Biotechnology, chemicals, and pharmaceuticals

10%

78%

6%

82%
53%

47%

Distribution and transportation

17%
63%

15%

36%

Manufacturing

56%

16%

8%

60%

20%

35%

58%

28%

Telecommunications

Security updates of IIoT/OT devices are not manual
at all — updates are applied automatically

8%

59%

36%

Wholesale

8%

76%

20%

Retail

7%

69%

22%

Oil and gas

9%
47%

14%

Healthcare (public and private)

Mining and metals

11%

38%

Central, federal, and local gov

Energy, power generation, and utilities

12%

13%

52%

Security updates of IIoT/OT devices are
somewhat manual/somewhat automatic

12%

Security updates of IIoT/OT devices are
completely manual — none are automatic

The level of automation varies across the different verticals. In energy, power, and
utilities, 86% of organizations are using a partially manual process, leaving themselves
exposed to the risk of breach if not done regularly or correctly.
The degree of update automation clearly has a relation to the severity of incidents,
showing that frequent updates help to defend against cyberattacks.

Incidents resulting in complete shutdown
20%

18%

15%

12%

10%

6%
5%
0%
Completely manual updates

Somewhat manual updates

Completely automatic updates

For those applying updates manually, nearly one-fifth said the most significant security incident led to a
complete shutdown of all devices and locations. It’s clear that the level of automation plays a major part
in the impact security incidents have on organizations. Where security updates are applied automatically,
just 6% experienced a complete shutdown of all devices and locations following an incident.

22

| Barracuda • THE STATE OF INDUSTRIAL SECURITY IN 2022

FINDING #6

Remote access
security requires
immediate attention
Virtually all organizations allow both internal and
external users to access OT environments remotely.
The frequent usage of remote access mechanisms
requires robust security and authentication measures.
Does your organization allow remote access into
OT environments?
(n=800)

59%

Internal users

51%

External users

25%
27%

2%

14%
18%

2%
1%

Yes, full network access and multifactor authentication is required
Yes, full network access and multifactor authentication is not required
Yes, partial network access (to certain systems only) and multifactor authentication is required
Yes, partial network access (to certain systems only) and multifactor authentication is not required
No, no remote access at all

The majority allow full network access, but around a quarter of this group report that multifactor
authentication (MFA) is not required. Only 18% of companies restrict network access and enforce MFA
when it comes to remote access into OT networks. Given the sensitive nature of these environments,
organizations should be taking every precaution necessary to keep them as secure as possible.

23

| Barracuda • THE STATE OF INDUSTRIAL SECURITY IN 2022

Remote access for internal users
39%

Agriculture, forestry, and fishing

41%

46%

Biotechnology, chemicals, and pharmaceuticals

19%

33%

16%

76%

Central, federal, and local gov

16%

Healthcare (public and private)
Manufacturing

24%

62%

28%

61%

29%

47%

Mining and metals

9%
10%

73%

Retail

24%

47%

24%

10%
15%

29%

Yes, full network access and multifactor authentication is not required
Yes, partial network access (to certain systems only) and multifactor authentication is required
Yes, partial network access (to certain systems only) and multifactor authentication is not required

Across the different sectors, most internal users have

environments remotely without using MFA. This might be

full network access, but MFA is not as widespread. In

because they are further behind on their IIoT/OT projects.

biotechnology, chemicals, and pharmaceuticals, for example,

This is an area that these organizations need to be aware

a third of respondents said internal users can access OT

of, given the implications if their devices are compromised.

| Barracuda • THE STATE OF INDUSTRIAL SECURITY IN 2022

3%

10%

Yes, full network access and multifactor authentication is required

24

2%
1%
5%

18%

60%

Wholesale

9%
18%

77%

Telecommunications

7%

29%

Oil and gas

11%
20%

69%

Energy, power generation, and utilities

5%

13%

64%

Distribution and transportation

2%

1%

Remote access for external users
36%

Agriculture, forestry, and fishing

29%

36%

49%

Biotechnology, chemicals, and pharmaceuticals

31%

56%

Central, federal, and local gov
Distribution and transportation

38%

Energy, power generation, and utilities

38%

33%
16%

40%

61%

Mining and metals

61%

Retail

60%

Telecommunications

59%

16%

4%

1%

13%

16%

8%

23%

18%
18%

15%

53%

2%

25%
25%

52%

Wholesale

15%

31%

Manufacturing

Oil and gas

9%

47%

45%

Healthcare (public and private)

1%
3%
2%

16%

20%
23%

33%

5%

2%

10%

3%
2%
1%
3%

Yes, full network access and multifactor authentication is required
Yes, full network access and multifactor authentication is not required
Yes, partial network access (to certain systems only) and multifactor authentication is required
Yes, partial network access (to certain systems only) and multifactor authentication is not required
No, no remote access at all

Similarly, the majority allow external users full network access to

This situation should never exist in critical sectors and should be

OT environments. The use of MFA to do this is widespread, but it

addressed immediately. As we saw with the attack on Colonial

is severely lacking for some sectors. Energy, power generation,

Pipeline, just one successful remote access attack can have

and utilities is the most likely sector to allow full network access

wide-reaching, catastrophic impacts.

without the requirement of MFA.
The market offers a variety of different remote access
mechanisms, from simple traditional VPN to highly secure
Zero Trust solutions.

25

| Barracuda • THE STATE OF INDUSTRIAL SECURITY IN 2022

Which of the following tools is your organization
using for remote access?

In addition to who can access the network, organizations also
need to consider what users are allowed to do on the network.

(n=800)
0%

Fully implemented Zero Trust
model with commercial zero
trust offering
Basic web-based Zero Trust concept to
RDP/screenshare host, no network access
Web-based access to RDP or other
screen-sharing tools, segmentation
enforced on RDP host via limited
access to resources

10%

20%

30%

40%

50%

1%
1%

Access rights and security policies for single users or user groups
need to be defined.

In your organization, which of the following
access permissions are granted via remote
access for internal and external users?

2%
1%

(n=800)

18%

0%

6%
19%

VPN or SSL-VPN access to other
screen-sharing tools with full access

34%
41%

Direct network-level access via
VPN or SSL-VPN, few or very little
network segmentation

26%

40%

60%

Collecting data for
analytics and maintenance

15%

VPN or SSL-VPN access to RDP
host (Remote Desktop Protocol)
with full access everywhere

20%

36%

External users
Internal users

63%

Applying configuration
changes and updates

56%

Use of specified applications
and protocols only

54%

Privileged access
management is applied
None of these access
permissions are granted

80%

49%
1%

Zero Trust Network Access (ZTNA) is the most secure way to
provide remote access, including granular permissions based
on user id, device id and type, health state, and geographic
location. It’s not one-time access; it’s continuously applied,
and permissions are continually verified. With only 1% of
respondents using ZTNA for either internal or external users,
it’s clearly in its infancy in the OT space. This represents an
easy opportunity for the industry to improve their security
posture quickly when it comes to remote access.
The majority of organizations provide direct network-level
access without further security. All network traffic from remote
connections should run through detailed security inspection and
be limited to specific target systems only. In particular, the use
of screen-sharing tools and remote desktop connections are
often inadvertently bypassing existing security measures in many
cases. Given that compromised remote access is a common
problem, addressing these weaknesses could increase the level
of protection significantly.

26

| Barracuda • THE STATE OF INDUSTRIAL SECURITY IN 2022

There are a range of access permissions granted via remote
access for both internal and external users: collecting data for
analytics and maintenance (63%); applying configuration changes
and updates (56%); use of specified applications and protocols
(54%); privileged access management is applied (49%). Just 1%
say none of these access permissions are granted. If access
to an organization’s OT environment fell into the wrong hands,
especially in a critical sector, the impacts could be detrimental.
Worryingly, over half (57%) of respondents report that external
users who have full network access are able to apply
configuration changes and updates, a very high-risk situation
for a breach.

FINDING #7

Digital transformation
drives new technology
The adoption of the public cloud, software-as-a-service
(SaaS), and secure access service edge (SASE) is changing
the way corporations operate and the network architecture
they require. We wanted to know where businesses are on
this journey to digitalization.
Does your organization plan to utilize a public cloud offering for
digital transformation?
(n=800)
0%

10%

20%

30%

We are already
utilizing a public
cloud offering

40%

36%

We are in the process
of adopting a public
cloud offering

40%

We will be adopting a
public cloud offering
within the next 12 months
We will be adopting a public
cloud offering within the
next 12 to 24 months

20%
4%

Virtually all organizations have committed to the adoption of public cloud. 96% are already using public
cloud, are in the process of adopting a public cloud offering, or have plans to do so in the next 12 months.
However, the level of adoption shows significant differences between industries.

27

| Barracuda • THE STATE OF INDUSTRIAL SECURITY IN 2022

Public cloud adoption by industry

17%

Agriculture, forestry, and fishing
Biotechnology, chemicals, and pharmaceuticals

53%

15%

61%

23%

60%

Central, federal, and local gov

9%

49%

Distribution and transportation

28%
32%
38%

20%

50%

Retail

38%

56%

Telecommunications

14%

43%

We are in the process of adopting a public cloud offering
We will be adopting a public cloud offering within the next 24 months
We will be adopting a public cloud offering but not in the next 24 months
We currently have no plans to adopt a public cloud offering

The adoption of public cloud is widespread in some industries but still being worked on in others.
Interestingly, in the government sector, where the use of IIoT tends to be for managing critical
infrastructure, the use of public cloud is very high at 60%. On the other end of the spectrum are
the healthcare; mining and metals; agriculture, forestry, and fishing; biotechnology, chemicals, and
pharmaceuticals; and wholesale verticals, all with an adoption rate below 30%.
Public cloud is not a security risk. In general, companies using public cloud seem to be more willing
to adopt technology and invest in security. The same group is also seen adopting edge computing
more often, and public cloud appears to be a driver for that technology. So, we wanted to know if

28

| Barracuda • THE STATE OF INDUSTRIAL SECURITY IN 2022

13%

22%

We are already utilizing a public cloud offering

this is in fact the case.

2%
16%

45%
42%

Oil and gas

2%

15%

50%

24%

Mining and metals

16%

43%

34%

Manufacturing

2%

31%

28%

Healthcare (public and private)

1%

29%

33%

54%

Energy, power generation, and utilities

Wholesale

31%

21%
43%

1%

To what extent has your organization adopted edge computing?
(n=800)

We are already utilizing
a public cloud offering

67%

We are in the process of
adopting a public cloud offering

23%

19%

We will be adopting a public cloud
offering within the next 12 months

65%

8%

We will be adopting public cloud
offering later or have no plans to adopt

16%

38%

6%

We have fully adopted edge computing

7%

48%

31%

43%

11%

6%

We currently have no plans to adopt edge computing

Don’t know

Edge computing is considered an important part of an organization’s setup by the vast majority of
respondents and will likely continue to gain in popularity in the future.
Over two-fifths of respondents say their organization is in the process of adopting edge computing.
About one-third say edge computing has been fully adopted. About one-quarter say their organization
will be adopting edge computing within the next 12 to 24 months. Based on the data, it’s clear edge
computing helps businesses take advantage of public cloud, with adoption among those who are
already utilizing a public cloud offering reaching 67%.
Looking at the popular IoT edge platforms, Google IoT Edge, AWS Greengrass, and Azure IoT Edge
are the most likely edge computing tools being considered, according to respondents.

Which of the following benefits has/do you think your organization
would gain by adopting always connected IIoT?
(n=800)

42%

Improved
product
quality

29

39%

Improving
asset/device
management

39%

Increased
agility

38%

Competitive
advantages

| Barracuda • THE STATE OF INDUSTRIAL SECURITY IN 2022

37%

Optimized/
simplified
maintenance

36%

Optimize
equipment
effectiveness

1%
1%
1%
3%

We will be adopting edge computing within the next 12 months

We are in the process of adopting edge computing

We will be adopting edge computing in 12 to 24 months

4%

3%

34%

Improving
decisionmaking

34%

Reduce
production
cost

29%

29%

Reduce
CO2
emission

Real-time
monitoring
and control

When asked about the importance of digitalization in general, there is overwhelming
agreement from respondents when it comes to three items:
• Always connected IIoT/OT is viewed as competitive assets for organizations
• Edge computing is considered an important part of an organization’s setup
• Organizations need to invest more in the security of IIoT and OT
In more detail, improving product quality, asset/device management, and agility were
cited as top benefits of always connected IIoT.
Our final question in this survey was about the most important use cases for future
digitalization projects.

Which of the following would your organization consider when
digitally transforming your organization?
(n=800)

52%

52%

Artifical Intelligence/
machine learning

Data normalization
and aggregation

50%

33%

Predictive/
pre-emptive
maintenance

Product
customization/
lot size 1

Looking forward to the adoption of additional technologies, organizations are
considering a number of solutions and strategies, including the use of AI/ML
and better data management.

30

| Barracuda • THE STATE OF INDUSTRIAL SECURITY IN 2022

50%

Remote condition
monitoring of assets

27%

Digital twin

Conclusion
In today’s uncertain geopolitical environment, people and

Fortunately, effective solutions to IIoT security challenges are

organizations are highly concerned with potential cyberattacks.

available, including secure endpoint connectivity devices and

The most concerning are possible attacks on critical infrastructure

ruggedized network firewalls, all centrally deployed and managed

and industrial assets. Unfortunately, IIoT/OT security currently

via a secure cloud service. These solutions can enable effective

requires a lot of improvement.

network segmentation and advanced threat protection, provide
multifactor authentication, and even implement Zero Trust Access.

This report shows nearly all — 94% — of organizations have

In addition, web application firewall services can be deployed to

experienced at least one security incident, which likely impacted

protect the infrastructure from web application and DDoS attacks.

their industrial IoT infrastructure. These incidents had significant
impact on organizations, with 87% of them reporting their
operations were impacted for one day or more. The incidents
involved a wide range of attacks, with web application, malicious
external hardware/removable media, and distributed denial of
service attacks being the most frequent.
The good news is the majority of organizations are already
implementing or planning IIoT/OT security projects. Even better
news is organizations that didn’t experience an impact are
more likely to have already completed some IIoT/OT security
projects, so these projects seem to be effective. There are
many challenges, however, in successfully implementing IIoT/
OT security, including long implementation times and high
costs. In fact, 93% of organizations had a failed project on their
journey to IIoT/OT security.
Some of the areas that require attention are the lack of network
segmentation, reactive rather than proactive security updates,
and insufficient automation. One area that requires urgent
attention is remote access security. While most organizations
allow both internal and external users access to their OT
environments, roughly a quarter are not requiring multifactor
authentication, leaving organizations wide open to attacks.

31

| Barracuda • THE STATE OF INDUSTRIAL SECURITY IN 2022

Nearly all — 94% — of
organizations have
experienced at least
one security incident,
which likely impacted
their industrial
IoT infrastructure.
These incidents had
significant impact on
organizations, with
87% of them reporting
their operations were
impacted for one day
or more.