Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable 部落格

  • Twitter
  • Facebook
  • LinkedIn

在 OT 安全性方面網路安全專業人員面臨嚴峻挑戰:Ponemon 報告

在 OT 安全性方面網路安全專業人員面臨嚴峻挑戰:Ponemon 報告

62% of organizations in industries relying on operational technology experienced two or more business-impacting cyberattacks in the past 24 months, according to a report from Ponemon Institute and Tenable.

If you follow cybersecurity news as avidly as we do, you already know that industrial control systems underlying critical infrastructure are vulnerable, and they are under attack. But, how bad is it? Tenable commissioned Ponemon Institute to answer this question and provide insight into past events, preparedness and future priorities. The data from 701 respondents in industries that have OT infrastructure is presented in the report, Cybersecurity in Operational Technology: 7 Insights You Need to Know. A few highlights are discussed below.

OT is not well-defended and vulnerabilities abound

Visibility into the attack surface is insufficient. Only 20% of respondents agreed or strongly agreed that they had sufficient visibility into their organization’s attack surface. This is very concerning because all security controls/processes depend on the visibility provided by comprehensive asset inventories. You are unlikely to manage and secure assets if you don’t even know about them.

Inadequate staffing and manual processes limit vulnerability management. The shortage of cybersecurity professionals has been well documented. In 2017, Forbes quoted the IS Audit and Control Association (ISACA) as predicting a global shortage of 2 million cybersecurity professionals by 2019. We are now in 2019, and I haven’t seen any data disprove ISACA’s prediction. The well-publicized cybersecurity skills shortage is exacerbated by reliance on manual processes to assess and remediate vulnerabilities.

Top impediments to effective vulnerability management

Using a five-point scale of strongly agree to strongly disagree, the following percentage of respondents agreed or strongly agreed with the below statements.


Agree/Strongly Agree

The security function of our organization has adequate staffing to scan vulnerabilities in a timely manner.


Our organization is at a disadvantage in responding to vulnerabilities because we use a manual process.


Security spends more time navigating manual processes than responding to vulnerabilities, which leads to an insurmountable response backlog.


原文: 操作技術的網路安全:7 Insights You Need To Know, Ponemon Institute and Tenable, April 2019.

Vulnerabilities Continue to Proliferate. The ability to assess and remediate vulnerabilities in a timely manner is extremely important. In the first 45 days of 2019, the Industrial Control System-Computer Emergency Response Team (ICS-CERT) issued 45 alerts describing vulnerabilities in industrial control systems1. These vulnerabilities apply to products from leading control system manufacturers, including ABB, AVEVA, Mitsubishi, Omron, Rockwell, Schneider Electric, Siemens and Yokogawa. That quantity is small compared to the 405 IT vulnerabilities discovered during the same period. However, staff responsible for OT security cannot put blinders on and focus only on OT vulnerabilities because IT/OT convergence means that both ICS and IT vulnerabilities can be exploited to attack critical infrastructure. 450 combined OT and IT vulnerabilities in 45 days is challenging for many organizations to assess and remediate. This velocity may or may not continue throughout the year, but even if it decreases by half, the number is challenging to manage without an automated process.

OT is under attack

According to the Operational Technology Cybersecurity Insights report, manual vulnerability management processes result in inadequate protection against cyber-attacks. The report reveals most organizations in industries that have OT infrastructure have experienced multiple cyber-attacks causing data breaches and significant disruption/downtime to business operations, plant and operational equipment. Over the past 24 months:

  • 90% have experienced at least one damaging cyberattack, and 62% have experienced two or more. These data refer to all damaging attacks, not just attacks against OT infrastructure. IT attacks are included because some can result in attackers pivoting from IT into OT.
  • 50% experienced an attack against OT infrastructure that resulted in downtime to plant and/or operational equipment.
  • 23% experienced a nation-state attack. Nearly one quarter were able to attribute an attack to a nation state. This is a serious concern due to the high level of expertise and funding nation-states can provide. Nation-states attackers are not script kiddies.

How can you move forward?

The survey reveals that 70% of respondents view “Increasing communication with C-level and board of directors about the cyber threats facing our organization” as one of their governance priorities for 2019. If this applies to you, you can reference the survey data in discussions with executive leadership as you discuss your organization’s security posture relative to OT attacks.

About this study

The report is based on a survey of 710 IT and IT security decision-makers in the following industries: energy and utilities; health and pharmaceutical; industrial and manufacturing; and transportation industries. Respondents were from the United States, United Kingdom, Germany, Australia, Mexico and Japan, and all respondents have involvement in the evaluation and/or management of investments in cybersecurity solutions within their organizations. The consolidated global findings are presented in this report. Download your free copy here.

1Tenable Research discovered a Remote Code Execution vulnerability in InduSoft Web Studio, an automation tool for human-machine interface and SCADA systems.



輸入您的電子郵件地址,以便收到最新 cyber exposure 警示。

免費試用 立即購買

選擇 Tenable.io

免費試用 30 天

享受現代、雲端型的弱點管理平台,能夠以無與倫比的準確性查看和追蹤所有資產。 立即註冊。

立即購買 Tenable.io

享受現代、雲端型的弱點管理平台,使您能夠以無與倫比的準確性查看和追蹤所有資產。 立即訂閱一年。

65 項資產


免費試用 立即購買

免費試用 Nessus Professional

免費試用 7 天

Nessus® 是現今市場上功能最全面的弱點掃描工具。Nessus Professional 能協助自動化弱點掃描程序、節省您達到合規性的時間並讓您的 IT 團隊合作。

購買 Nessus Professional

Nessus® 是現今市場上功能最全面的弱點掃描工具。Nessus Professional 能協助自動化弱點掃描程序、節省您達到合規性的時間並讓您的 IT 團隊合作。

購買多年期授權,節省更多。新增 365 天全年無休 24 小時全天候可使用電話、社群及對談的進階支援。完整詳情請見此處。

免費試用 立即購買

試用 Tenable.io Web Application Scanning

免費試用 30 天

享受我們專為現代應用程式而設計,屬於 Tenable.io 平台一部分的最新 Web 應用程式掃描產品的所有功能。不需耗費大量人力或中斷重要 Web 應用程式,即可高度準確且安全地掃描您整個線上產品系列中是否含有任何弱點。 立即註冊。

購買 Tenable.io Web Application Scanning

享受現代、雲端型的弱點管理平台,使您能夠以無與倫比的準確性查看和追蹤所有資產。 立即訂閱一年。

5 個 FQDN



免費試用 聯絡業務人員

試用 Tenable.io Container Security

免費試用 30 天

享受整合至弱點管理平台中的唯一容器安全產品的完整功能。監控容器映像中是否有弱點、惡意軟體及政策違規的情形。與持續整合和持續部署 (CI/CD) 系統整合,以支援 DevOps 作法、加強安全性並支援企業政策合規性。

購買 Tenable.io Container Security

Tenable.io Container Security 整合了建置程序,能提供包含弱點、惡意軟體和政策違規等容器影像安全性的能見度,讓您無縫並安全地啟用 DevOps 流程。

取得 Tenable.sc 產品示範

請填寫以下表格並附上您的聯絡資訊,我們的業務代表將盡快與您聯絡,以安排產品示範。您也可以附上簡短註解 (字元上限為 255 個)。請注意,標示星號 (*) 的欄位是必填欄位。

免費試用 聯絡業務人員

試用 Tenable Lumin

免費試用 30 天

透過 Tenable Lumin,能夠以視覺方式呈現 Cyber Exposure 並加以探索,長期追蹤風險降低狀況,以及對照同業進行指標分析。

購買 Tenable Lumin

聯絡業務代表,瞭解 Lumin 如何協助您獲得整個企業的深入洞見,並管理網路風險。

申請 Tenable.ot 產品示範