Among the key findings of our report, we found that 69 percent of industrial sites have plain text passwords
            traversing  the  network.  Lack  of  encryption  in  legacy  protocols  like  SNMP  and  FTP  exposes  sensitive
            credentials, making cyber-reconnaissance and subsequent compromise relatively easy.

            Whether for convenience or inattention, 40 percent of industrial sites have at least one direct connection
            to the public internet. With digitization as a key business driver, operational technology (OT) networks
            are now also increasingly connected to corporate IT networks, providing additional digital pathways for
            attackers.

            According  to  our  findings,  at  least  57  percent  of  industrial  sites  are  still  not  running  any  anti-virus
            protections that update signatures automatically, leaving the programs largely ineffective, and 16 percent
            have at least one Wireless Access Points (WAP). Misconfigured WAPs can be accessed by unauthorized
            laptops and mobile devices, and sophisticated malware such as VPNFilter target access points such as
            routers and VPN gateways, enabling attackers to capture MODBUS traffic, perform network mapping,
            destroy router firmware and launch attacks on OT endpoints.

            As  we  continue  to  both  assess  past  attack  methods  and  the  current  state  of  our  networks  and
            vulnerabilities,  a  path  towards  remediation  and  protection  becomes  clearer.  Not  everything  can  be
            protected at once, but ruthless prioritization is required. In the report, we lay out a series of eight steps
            towards protecting an organization’s most essential assets and processes. These include: continuous
            ICS network monitoring to immediately spot attempts to exploit unpatched systems before attackers can
            do any damage; threat modeling to prioritize mitigation of the highest consequence attack vectors; and
            more granular network segmentation.

            Analyzing the data for the second time in two years also gave us an opportunity to compare data and
            look for trends, and perhaps the most important conclusion we reached after looking at the delta between
            last year’s report and this year’s report is that the delta itself is small, and the industry may not have
            changed much over the course of the past year. Other than the drop of industrial sites using legacy
            Windows systems from 76 percent last year to 53 this year, the rest of our data changed in relatively
            small increments.

            In comparison to last year, where the median overall risk-readiness score across all industrial verticals
            was 61 percent, our latest research puts the score at 70 percent. These results, however, fall short of
            CyberX’s minimal recommended readiness score of 80 percent. With this year’s report, the risk-readiness
            score by industry is 67 percent for manufacturing, 68 percent pharmaceuticals and chemicals, 79 percent
            for energy and utilities, and 81 percent for oil and gas.

            As these numbers suggest, awareness about the need for stronger ICS defenses is growing, but there's
            still a lot of work to be done. When looking at the scope of the current ICS security situation and its many
            complexities, it bears remembering that we are attempting to close a 25-year gap between OT and IT
            security practices.












                                 37