Operational Technology: Industrial Digital Transformation Continues to Outpace Investment in Cybersecurity
Industry 4.0. is coming of age but cybersecurity needs to catch-up
Industry 4.0, introduced in 2011, envisioned a revolution in manufacturing and process industries through digital technologies. While the shift may not have been as fast as predicted, manufacturing has undeniably transformed. Ten years ago, digital concepts were emerging; today, IoT and data analytics are widely adopted for process optimisation, predictive maintenance, and real-time monitoring. Plant automation has evolved from handling repetitive tasks to more complex operations, with greater agility and flexibility in responding to demand.
The evolution of manufacturing into more responsive, predictive, and flexible operations has been driven by enhanced connectivity within plants and between OT and IT systems, supported by large-scale data processing at the edge and in the cloud.
This growing digitalisation ranks as the most significant driver of cybersecurity investment in Westlands Advisory’s OT Cybersecurity Trend Index, a model that evaluates the relative strength of trends on OT cybersecurity investment from 2008 onwards. In the model, the linear growth in cybersecurity investment has not kept pace with the exponential growth of digitalisation since 2018, leading to a widening gap between the focus on business transformation and the discipline of cyber risk management. This is common in many industries—innovation often outpaces security.
Cybersecurity incidents drive cybersecurity investment
During this same period, the volume of cybersecurity incidents affecting operational technology has increased, including IT events that disrupted OT systems. As industries digitalise and attack surfaces expand, a corresponding rise in cyber incidents is to be expected, particularly in sectors that are high-value targets for threat actors who are looking to extract ransom, exfiltrate data and intellectual property, or cause a disruption in operations. Notably, reported cyber incidents remained stable for 3-4 years after digitalisation accelerated, before sharply increasing.
Dan Cartmill, Sr. Global Product Marketing Director at TXOne Networks, highlights that “The convergence of IT and OT systems exponentially increases the attack surface rather than merely combining them. While IT environments have undergone decades of security enhancements, OT systems frequently remain in their original, vulnerable state. This disparity creates a critical weakness: when common IT threats spill over to OT environments, they encounter systems ill-prepared to respond effectively.”
While regulation is often cited as a driver of cybersecurity investment, WA’s research indicates that globally and across industries it has had a minimal impact on OT cybersecurity maturity. Whilst there are a few examples of regulation working, for example NERC CIP, many industries reliant on OT remain out of regulatory scope or have not adopted practices that they are required to implement. For example, the EU NIS framework, despite its good intentions, has had a limited impact across the EU. Poor compliance and weak enforcement have limited its effectiveness.
Accelerating digitalisation and growing incidents
Assessing how industrial trends will evolve over the forecast period helps us to evaluate future cybersecurity requirements and investment.
Digital transformation will continue to strengthen over the next decade as organisations implement private 5G networks, make greater use of digital twins, and invest in AI related programs. The manufacturing alliance’s survey on digital transformation highlights asset owner intent to improve digitalisation, including supply chain optimisation, product planning, manufacturing, business intelligence, inventory management and aftermarket services. The survey highlights that most organisations remain at earlier stages of digitalisation.
As digitalisation and connectivity increases, industrial data trust will become an increasingly important focus area as automation becomes more reliant on analytics and AI. Protecting OT requires data to be secure throughout its lifecycle, passing from ‘trusted’ OT environments to cloud platforms. Asset owners are likely to shift towards data-centric models, with a focus on data sovereignty and mixed approaches to data processing—leveraging on-premises, edge, and cloud solutions depending on the nature, value, and cost of the data.
The current geopolitical climate is expected to remain volatile, and threats to critical infrastructure and the manufacturing sector are unlikely to diminish. Despite a growing emphasis on secure-by-design principles, the expanding attack surface will likely result in an increase in cybersecurity incidents. Given the recent trajectory and correlation with manufacturing digitalisation it is possible that the number of annual incidents will more than double by 2031, diverging further from cybersecurity investment in the accompanying chart. However, this forecast is based on historical data and assumes the status-quo – rapid digitalisation, poor cybersecurity postures, and weak regulation.
Closing the gap
Despite the growing gap between digitalisation and cybersecurity investment, Westlands Advisory’s analysis shows improvements in cybersecurity maturity. Leading utilities and manufacturers have made considerable progress, transitioning from basic to advanced OT cybersecurity programs. However, many organisations, particularly SMEs, remain behind. Raising awareness and improving education for SMEs is crucial and this includes improving collaboration between OT and IT.
Dan Cartmill adds “Addressing this complex challenge requires a systematic approach, establishing fundamental security practices within OT before advancing to more sophisticated measures. Crucially, the cornerstone of a successful integrated security program is a strong IT-OT partnership. This collaboration is essential for comprehending the intricacies of OT systems and implementing security measures that are both robust and operationally appropriate, ensuring protection without compromising critical industrial functions.”
A further shift towards secure-by-design principles will also play a key role in closing the gap. OT has inherited a cybersecurity problem – systems were not designed to be exposed to the internet and therefore cybersecurity strategy has focussed on fixing insecure networks, systems, and devices. Industry needs to focus on ensuring that solutions are secured as part of the digitalisation process, moving the cybersecurity investment curve alongside digital transformation. Jen Easterly, Director of the US’ Cybersecurity and Infrastructure Security Agency (CISA) stresses the importance of ensuring products are secure at the outset, calling vulnerabilities “product defects” and stating “we don’t have a cyber security problem – we have a software quality problem. We don’t need more security products – we need more secure products.”
Growing regulation focused on secure-by-design is likely to part of the solution. The EU Cyber Resilience Act (CRA) has the potential to dramatically change the security of industrial products and systems. At its core, the regulation requires all manufacturers producing hardware or software with digital elements to incorporate cybersecurity features during the design and development processes and provide security updates to address vulnerabilities throughout the products lifecycle. Companies that fail to meet the regulatory requirements are liable to fines of up to 2.5% of global turnover.
As the installed base of secure products and systems increases cybersecurity investment will start to align with the digitalisation journey. However, this will take time. Most of the manufacturing and processing industrial base is brownfield and will require a balanced approach to cybersecurity – applying defence-in-depth to existing OT environments, reducing attack surfaces, and ensuring that as new products and systems are introduced, they are already secure-by-design.
Westlands Advisory’s Industrial OT Cybersecurity Market Analysis is available from September 2024.