Impact of skills shortage on industrial cybersecurity

Edgardo Moreno is an Executive Industry Consultant at Hexagon's Asset Lifecycle Intelligence division. He has 20 years of experience in operational technology (OT) and cybersecurity.  Edgardo joined Hexagon in 2007 and has worked in various international roles. He holds a Master's degree in Computer Science from Texas State University. 

Here, he discusses cybersecurity challenges and the role of automation in compensating for the skills shortage in industrial cybersecurity. 

What are the main challenges facing industrial organisations as a result of the shortage of cybersecurity professionals?  

“The chronic shortage of cybersecurity professionals presents multifaceted challenges to industrial organisations. 

“The most obvious consequence is the incapacity to fill specialised roles. According to the Government’s Cyber Security Skills in the UK Labour Market 2023 report, there is a shortfall of 11,000 qualified professionals and 37% of cyber vacancies are hard to fill. 

“But it also means that critical positions are often occupied by personnel who may lack the requisite expertise. Cybersecurity teams also tend to remain small and are often stretched too thin for their missions. In 12% of large companies, cybersecurity is handled by a single person,  sometimes as part of a broader role.

“The challenges created by these shortages are particularly problematic for industrial companies, which typically use a large variety of end-points, hardware and software on the operational technology (OT) side. OT cybersecurity is a complex field that requires specialised tools and expertise. It’s more difficult to have visibility over your OT inventory, what software devices are running and the critical updates that need to be implemented. 

“Due to skill shortages, these issues often get less attention than ‘classic’ IT cybersecurity. And malicious actors are taking advantage of this situation. For example, attacks that specifically target the Internet of Things (IoT) and Industrial Control Systems (ICS) commonly used by manufacturing companies have grown by 400% in the past year.”

Edgardo Moreno, Executive Industry Consultant at Hexagon

Why must industrial businesses invest in improved cybersecurity resources and personnel?

“For industrial companies, it’s a near-certainty that a cyber-attack will impact their operations in the next twelve months. According to Trend Micro, this was the case for 89% of companies in the electricity, oil and gas, and manufacturing sectors in the past year. 

“The severity of these attacks depends on many variables that are all directly impacted by the lack of investment, inadequate resources and low levels of cybersecurity maturity. Poor network segmentation, for example, can mean that attackers have access to larger swaths of data and can do more damage. 

“The consequences are multiple. There are financial consequences, in the form of ransom to recover data, unplanned downtime or higher insurance payments. A protracted cyber-attack can also lead a company to insolvency, as was recently the case for KNP Logistics in the UK or Clestra Hauserman in France. 

“British companies that operate in the EU are also concerned by the NIS directive which imposes far-reaching obligations. Companies in a wide array of industries should report certain data breaches within 24 hours, and have solid risk and incident management policies in place. And, in some cases, executives can be held personally liable for infringements.”

What role does automation play in compensating for the skills shortage in industrial cybersecurity?

“Automation plays an important role in a series of steps to greater cybersecurity. These should be viewed as a journey, not as a way to ‘solve’ cybersecurity at the push of a button.

“A cardinal rule of cybersecurity is that you cannot protect what you can’t see. A typical first step is therefore to perform an audit of the company’s cybersecurity and ensure that it has a deep,

complete and well-maintained inventory of all its OT and IT assets and endpoints. It is a key effort to understand the potential attack surfaces, identify vulnerabilities, and develop effective incident response and recovery. 

“Having such a comprehensive inventory can lay the groundwork for automating more cybersecurity tasks. For instance, it can serve to cross-check existing devices and software against databases of known vulnerabilities, like the NIST-NVD from the National Institute of Standards and Technology and determine the number of vulnerabilities in their operating facilities and have a perception of the equipment at risk.

“But what is also essential is to have a solution that can help you prioritise actions and investments based on their potential impact, rather than a laundry list of security flaws. It ensures that cybersecurity teams can make decisions based on actual risks and use their time, efforts and investments wisely.

“Adopting such strategies may become indispensable. In a climate of economic unpredictability, 51% of large enterprises anticipate either a reduction or a freeze in their cybersecurity budgets in the next twelve months. For industrial companies, fighting cyberattacks in ever greater numbers with less money and resources might be the defining challenge of 2024.”