In August 2021, SANS published a report on cybersecurity in OT (operational technology) and ICS (industrial control systems) environments. The findings are based on a survey of 480 organizations in relevant industries.
Among many other things, respondents were asked if they’d experienced one or more security incidents involving their OT/ICS environment over the previous 12 months. 15.1% said yes. See the graph on page 8. On the next page, there are two additional graphs – the number of incidents in the past 12 months (with 42.9% saying “less than 10”) and an assessment of how disruptive the incidents were (with only 9.5% saying “no impact/disruption”).
We often use something we call “midpoint analysis” in creating averages. This means looking at the distribution of answers for the various answer options, and multiplying the midpoint of each answer option (e.g., the midpoint of “1 to 5 hours” is 3 hours) by the frequency with which the respondent said “that’s me.” If 25% chose the 1-5 hours answer option, then the contribution to the overall midpoint is 3 hours x 25%, or 0.75 hours. Once we’ve done this for the remaining 75% of respondents, we sum the contribution of each answer option to get the overall midpoint.
We ran this with the numbers for incidents and disruption in the SANS report – see below.
From the above, we’d state the following. For the 15.1% of respondents that suffered at least one security incident in the previous 12 months:
- The midpoint number of incidents was 64.3 per organization.
- The midpoint percentage of disruption was 32.1%, meaning that around one third of the affected process was disrupted or disabled.
- This is equivalent to 20.65 incidents per year that are fully disruptive for some amount of time.
For anyone responsible for an OT/ICS environment, those are not numbers you want to see.
Leave a Reply