Category: Report

Rajesh Maurya Regional Vice President, India & SAARC, Fortinet The 2021 State of Operational Technology and Cybersecurity Report from Fortinet finds that operational technology (OT) leaders continue to face cybersecurity challenges, some of which were exacerbated by the shift to work from home due to the pandemic. The pandemic also accelerated IT-OT network convergence for most organizations, which correlates to other CEO reports that indicate that pandemic-related changes have accelerated digital transformation, putting organizations years ahead of where they would have expected to be at this point. Many organizations had to increase their technology budgets to accommodate the move to remote work. And as a result of the many changes brought about by the pandemic, many OT leaders are looking for new ways to streamline processes and reduce costs. As noted in the 2020 report, the momentum for OT-IT network convergence was already happening pre-pandemic, but the effects of the pandemic accelerated digital transformation and increased the need for connectivity. Employees were required to work from home and OEMs and system integrators were hampered by their inability to travel to service equipment. Getting on-site became much more difficult, so the pandemic clearly increased the need for third-party secure remote access. Overcoming these challenges increased both costs and risks. In 2021, we saw a change in respondents away from manager of manufacturing to more VP and director level. The responsibility for OT is shifting away from VP or Director of network engineering to CISOs and CIOs. Additionally, there were more security operations centers (SOCs) and significantly more network operations centers (NOCs) in place in 2021 than the prior year. As we have in previous years, we also compared the practices of respondents who had seen zero intrusions in the past year with those who had 10 or more intrusions. We again found that ‘top-tier’ OT leaders were significantly more likely to adhere to a number of best practices, including: Leveraging orchestration and automation and using predictive behavior. Tracking and reporting the financial implications of cybersecurity to the business. Reporting compliance with industry regulations and scheduled security assessments. Adhering to cybersecurity best practices helped top-tier OT organizations better withstand the technology changes, threats, and vulnerabilities that occurred during the pandemic. METHODOLOGY FOR THIS STUDY This year’s State of Operational Technology and Cybersecurity Report is based on a survey conducted from February 24 to March 1, 2021. The questions mirrored those asked in similar surveys in 2019 and 2020. Respondents work at companies involved in four industries: manufacturing, energy and utilities, healthcare, and transportation. All are responsible for some aspect of manufacturing or plant operations and occupied job grades ranging from manager to vice president. This study utilizes data from the survey to paint a picture of how operations professionals interact with cybersecurity in their daily work. The analysis looks at this year’s data and compares it with results from prior years and identifies several overarching insights about the state of the industry. We then delve more deeply into the data, identifying best practices more commonly used by ‘top tier’ organizations – those who have experienced 0 intrusions in the past 12 months versus those that have seen more than 10 attacks in the same period. INTRODUCTION The operational technology (OT) market is expected to continue to grow through 2027 at a CAGR of 6.40%, which is no surprise because OT makes it possible for the world’s factories, energy production and transmission facilities, transportation networks, and utilities to function. To boost operational efficiency and profitability, many OT companies have been integrating OT infrastructure such as supervisory control and data acquisition (SCADA) systems with IT networks. Competitive pressures are driving an urgency to reduce costs and increase efficiencies in a variety of ways such as: Utilizing digital twins to reduce risks supporting asset performance management (APM). Increasing overall equipment effectiveness (OEE) to drive increased manufacturing yield. Shifting from calendar-based to condition-based maintenance to minimize lost production associated with service outages. Increasing asset availability and reliability. Digitization of paper record-keeping and service reports for service and maintenance activities. These and other digital transformation initiatives have led to innovations requiring new platforms and new ways for people to work than they have in the past. That change in workstyles was exacerbated with the sudden need for employees to work from home. Although the move to remote work is a significant example of digital transformation, the array of systems and processes affected as a business digitally innovates spans all of OT. All the improved agility and efficiency that comes from OT-IT network convergence also comes with increased risks. The diminishing presence of the ‘air gap’ between OT net works and IT systems means the OT infrastructure is subject to all of the threats that IT systems have traditionally faced. Worse, the attack surface for an OT system can comprise Industrial Internet of Things (IIoT) devices, which control critical systems that can have potentially dire health and safety consequences if they are breached. A majority of OT leaders report the maturity of their security posture as at least Level 2 access, which means they have established visibility, segmentation, access, and profiling. At Level 2, they have complete role-based access and are working to achieve zero trust by enforcing multi-factor authentication. In fact, 99% of surveyed respondents were above Level 0, which means only 1% have absolutely no visibility or segmentation in place in OT. Although progress is being made, there is room to grow. Most OT organizations are not leveraging orchestration and automation and their security readiness was further taxed by the COVID-19 crisis. OT-IT network convergence coupled with an ever increasing advanced threat landscape and coping with pandemic-related issues made it even more difficult for OT leaders to stay ahead of adversaries. Although following security best practices takes time and money, those organizations that did were better able to withstand the changes brought about by the pandemic. INSIGHTS FOR OT SECURITY As noted, OT leaders continued to struggle with changes related to OT-IT convergence. Additionally, the…

The year gone by will for long be remembered as one of the most tumultuous years for the world in living memory. India’s economy was already under considerable strain and was showing early signs of systemic fault lines. The arrival of the pandemic at the beginning of the year and its quick spread exacerbated the already fragile situation, pushing the economy towards a downward spiral and into a recessionary mode. The economic shock and disruption caused by COVID-19 had a more telling and crippling effect on the unorganised daily wage sector and migrant workers, triggering a painful dislocation and social upheaval, causing much anguish and distress in rural India. In comparative terms, despite its dense population and fragile health infrastructure, India had till date managed the pandemic satisfactorily, especially so in respect of its fatality ratio. On the geopolitical front, India had a major spat with China after nearly sixty years. Large, heavily armed forces of both sides are as of now locked in a tense stand-off. Any military miscalculation or foolhardy adventure by either side can quickly snowball into a sharp and escalatory conflagration. An objective strategic assessment would suggest that both sides are on even terms, with perhaps a slight tactical advantage to India, allowing it a stronger negotiating posture. Going forward in the next year, one does not foresee any significant changes in the prevailing ground position. Any scope for de-escalation and disengagement can only happen at the highest political level of both sides. The chances of that happening soon are dim, as there is too much at stake for either side to show weakness. A stalemate in the near term is therefore more likely. India would have to be very alert once the campaigning season restarts in June, and both sides jockey for tactical advantage. One thing is for sure, that the clash had brought India and the USA closer together strategically and militarily. This relationship is likely to endure even under the Biden administration, as containing China by all possible means would continue to be the fundamental plank of US policy in the Indo Pacific. The clash had also given an impetus to the QUAD grouping; and the recent joint naval exercises are a pointer to a seriousness of intent. In the coming year, more developments and growth in QUAD and QUAD plus can be expected. Indo-Australian relations, both military and economic, will see an upward swing as Australia and China appear to be drifting apart. The UK, having left Brexit, will look towards India for increased trade, and economic relations will be on the upswing. Indian economy is coming out of recession and despite all constraints, is likely to be the world’s fastest growing economy with anticipated growth rate of 8 to 8.5% and going on to 9 plus in the ensuing years. Once the pandemic is fully under control and an effective vaccine is deployed, one can expect things to be hopefully normal by the second to third quarter of next year. Agricultural reforms introduced by the Modi Govt have met with much headwind. Even though the farm laws are technically good for the agricultural sector, sadly the government had brought them in a hurry and without building a reasonable consensus or communicating the benefits/ safeguards to the polity effectively. It is hoped that most of the contentious issues will be resolved. This though will involve very astute and benign handling, or else given the current mood it may spiral out of control. Nearly 5 Indian states go for elections in 2021 with West Bengal being the most crucial, followed by Assam and Tamil Nadu. The results of these state elections will be like a midcourse referendum of the current disposition. A change of government in West Bengal would be a tall ask for the BJP but TMC would definitely be weakened and lose its grip on the state. Whatever be the final result, due to the high stakes and passions involved, violence during the run up and during elections is likely and would need monitoring. 2021 will be a very eventful year, especially in terms of economic recovery, and revival of the travel and hospitality sector. Schools are likely to open early next year if the current COVID-19 declining trends continue. Security scenario on the borders both with China and Pakistan will continue to be tense with distinct possibility of clashes resulting in casualties. A full-scale war or even a sectoral conflict is less likely as both sides are unwilling to escalate matters. As we move forward, security professionals are likely to face dynamic and more evolving security threats worldwide. As leaders have been focusing on recovering from the impact of COVID-19, security concerns related to border conflicts with China and Pakistan, situations of civil unrest, technological risks and consequences of climate change will have its impact besides the non-traditional threats in both the physical and cyber realms. OVERALL BUSINESS CLIMATE FOR 2021 For India, 2020 was a year of multiple reckonings. Between COVID-19, the lockdown and the pandemic’s economic consequences, the standoff in Ladakh, caused by the largest Chinese military mobilisation in memory, farmer protests on the outskirts of the national capital, and even cyclones were crowded out of news cycles. In terms of geopolitical developments, regional tensions are expected to continue. Besides violent clashes between India and China at the Galwan Valley and a border dispute with Nepal, complexities persist with Pakistan. While India had managed to maintain its ties with Nepal, relations with China and Pakistan are likely to remain strained in the same manner. Tensions along both borders will remain top priorities for security establishments, with probability of more clashes along the Line of Actual Control (LAC) and continued cross border infiltration along the Line of Control (LoC). The impact of the 2020 pandemic in India had been highly disruptive as the country had contributed the second highest number of COVID-19 cases. While the market forecasts have predicted a drop of 18.3 percent, the Indian economy shrank…

The COVID-19 pandemic led to dramatic changes in 2020. At a time of disruption and uncertainty due to the pandemic, people have been suddenly expected, and at times required, to share their personal information such as personal lives, routines, social circles, health status and other data with governments, employers, and also with strangers while learning to interact remotely and in new digital way to help curtail the spread of COVID-19. People have shifted much of their lives online, accelerating a trend that normally would have taken years. These mass-scale shifts in human interaction and digital engagement presented many challenging data privacy issues for organizations who aim to follow the law, stop the spread of the pandemic, while also respecting individual rights. It put strains on privacy as the need to protect individual’s data was often in conflict with the need to protect public health. Consumers and the general public are growing increasingly concerned about how their personal data is being used. Fortunately, privacy protections established over the last decade helped decision makers strike the right balance between individual concerns and community needs. Cisco recently published the 2021 Data Privacy Benchmark Study, its fourth annual look into corporate privacy practices worldwide, which found enhanced importance of privacy protections during the pandemic and increasing benefits for businesses that adopt strong privacy measures. The independent, anonymized survey analyzed the responses of 4,400 security and privacy professionals across 25 countries and explored attitudes towards privacy legislation and the emergence of privacy metrics being reported to executive management. In this year’s Data Privacy Benchmark Study, we’ve found strong evidence that privacy has become an even more important priority during the pandemic. Privacy budgets have increased over the last year, organizations have more resources focused on privacy, and privacy investments going above and beyond the law are translating into real business value. Privacy legislation and external certifications are providing assurance in a business environment where it’s hard to know whom to trust. Consumers are exercising their privacy rights and demanding enforcement of existing privacy protections. The reaffirmation of privacy’s value even during the pandemic positions it as a priority for years to come. Privacy is no longer an afterthought; it is core to how we work and interact with each other. The age of privacy has arrived. KEY FINDINGS In this study, we continue our exploration of privacy practices and maturity levels at organizations around the world, their financial investments in privacy, business benefits from these investments, and the forces driving these behaviors. In this year’s research, we also included several questions related to the pandemic and its impact. Some of the key findings include Ninety-three percent of organizations turned to their privacy teams to help navigate and guide their pandemic response. Privacy budgets doubled in 2020 to an average of $2.4 million. RoI was slightly down compared to 2019, but remains attractive with 35% reporting benefits at least 2 times their investments. Privacy laws are viewed very favorably around the world, with 79% of organizations indicating they are having a positive impact (and only 5% negative impact). External privacy certifications (e.g., ISO 27701, APEC Cross-Border Privacy Rules, and EU Binding Corporate Rules) are an important buying factor for 90% of organizations when choosing a product or vendor. Organizations with more mature privacy practices are getting higher business benefits than average and are much better equipped to handle new and evolving privacy regulations around the world. Data privacy has become a top area of responsibility for security professionals, with 34% of survey respondents indicating privacy is one of their core competencies and responsibilities. Ninety-three percent of organizations are reporting privacy metrics (e.g., privacy program audit findings, privacy impact assessments, and data breaches) to their Boards. These findings provide strong evidence that the commitment to privacy has been strengthened during the pandemic. Organizations that get privacy right improve trust with their customers, operational efficiency, and both top-line and bottom-line results. FORGED BY THE PANDEMIC: THE AGE OF PRIVACY 1. Helping organizations overcome the challenges of the pandemic The COVID-19 pandemic forced many changes on society in 2020, including a rapid shift to remote working and an often-urgent need for personal health information to support public health initiatives. Rather than being pushed aside, privacy teams and privacy principles have attained greater prominence as they have helped organizations manage this shift and balance the competing interests of individual rights and public safety. Ninety-three percent of organizations said their privacy teams played a significant role in helping them navigate and respond to the challenges brought on by COVID-19. These challenges included the shift to remote working, determining when and how to share personal information, and implementing controls to limit access and use of any shared personal data. During the pandemic, the percentage of organizations where most employees were working remotely jumped from 40% to 67%, and 91% of organizations had at least a quarter of their employees working remotely. Unfortunately, many were unprepared for this transition. Only 41% of organizations described themselves as fully prepared for this shift from a privacy and security perspective, and 87% of individuals expressed concern with the privacy protections involved in the tools they needed to work and interact remotely (See figure 1). In responding to the pandemic, governments and organizations needed health-related personal data to understand co-morbidity factors and exposure risk to keep their communities and workplaces safe. Despite the need, consumers generally supported few if any exceptions to the privacy protections for their data. Thirty-six percent of respondents in the consumer survey wanted no change to existing privacy laws, with another 26% supporting only limited exceptions. Only 10% thought privacy should take a back seat to safety during the pandemic (See figure 2). In considering specific use cases, 57% were supportive of employers’ need for health information to keep their workplaces safe, but most other use cases were only supported by a minority of respondents. These included location tracking, contact tracing, relaxing medical restrictions, disclosing information about infected individuals, and using individual…

(Submitted by Overseas Security Advisory Council) Digital contact-tracing mobile applications have become a useful mitigation tool for countries and private-sector organizations alike in the fight against COVID-19. South Korea and Singapore were among the first to deploy a digital version of contact tracing, a key reason those countries have experienced relatively few coronavirus cases. In the United States, such measures have fallen largely to tech companies, resulting in a rare partnership between Apple and Google to develop contact-tracing technology that will operate on both iOS and Android phones. However, other countries have implemented apps that raise serious security concerns for private sector operators. This report looks at the issue as a whole, and examines its implications in two key countries for OSAC members. Using Contact Tracing Applications While governments and major companies work to create and monitor tracing apps, private sector organizations have also begun acquiring mobile applications and wearable devices to track and stop the spread of coronavirus in the workplace. PricewaterhouseCoopers (PwC), which is building its own contact tracing app, noted that nearly a quarter of chief financial officers they surveyed plan to evaluate the technology as part of an office reopening strategy. A recent survey of 300 OSAC members received similar results; 22% of respondents noted that their organization was considering the use of contact tracing mobile applications to identify and track possible COVID-19 infections, with another 3% reporting that their organization was already using these applications. These responses were highest in Asia, where almost 30% of respondents reported either considering or currently using contact tracing mobile applications. As organizations consider mandating these technologies in the workplace, many questions arise such as whether participation actually makes employees safer (or just feel so), if apps are legal and appropriate to deploy and mandate for employees, and if the technology will work as advertised in the field. The legality and appropriateness of mandated digital contact tracing in the workplace is likely to differ by country and organization. Also, organizations may need more time and experience to fully understand how well the technology will work, and how it will impact employee safety. Regardless, the mandated use of these technologies present cybersecurity and privacy concerns that can and should be examined before considering or committing to any new platform. GPS vs Bluetooth The two primary forms of digital contact tracing mobile applications are those that rely on GPS and those that use Bluetooth. GPS-based apps, such as those in South Korea and Israel, are the most intrusive on privacy, since they track and communicate user locations and movements to a centralized source (like the government). They can pinpoint potential locations of exposure, as well as the phones of the users who appear to have been in close contact with an individual. Meanwhile, those that rely on Bluetooth technology, like the apps in Singapore and Australia, can tell you when you might have been exposed to COVID-19, but they are more decentralized and will not tell a user where or to whom they were exposed. Privacy advocates prefer the latter for these reasons. Some legal experts argue that the optimal design for private-sector organizations from a privacy point of view leverages Bluetooth technology without giving the employer access to the server containing the information. Companies Behind the Apps In addition to understanding the technical backbone on which these applications rest, organizations should also consider the developers and their track records with cybersecurity and privacy issues. There is a wide variety of companies seeking to develop this technology and earn their share of what may prove to be a lucrative market moving forward. These include all types of organizations, from traditional business software and professional services companies like PwC and Salesforce, to technology startups and cyber intelligence firms. According to Reuters, at least eight surveillance and cyber-intelligence companies are attempting to sell re-purposed spy and law enforcement tools to track COVID-19 and enforce quarantines. Executives at four of those companies said they are piloting or in the process of installing products to counter coronavirus in more than a dozen countries in Latin America, Europe, and Asia. One of the more controversial companies in this group is the Israel-based cyber intelligence firm, NSO Group. The surveillance software-developer is currently being sued by WhatsApp for allegedly helping governments hack 1,400 targets, to include activists, journalists, diplomats, and state officials using its signature software, Pegasus. The company also faces another lawsuit in which it is accused of supplying software to the Saudi Arabian government, which allegedly used it to spy on the journalist Jamal Khashoggi before his murder. While these platforms, which largely rely on GPS location data, have primarily marketed to governments, organizations interested in employing digital contact tracing tools within their facilities and workforce should also be wary of clandestine technologies traditionally used for surveillance. Beyond the damage that such technologies could cause to an organization’s business image or employee trust, they could also present significant data privacy concerns, depending on how the data is collected, stored, and accessed. Organizations should also monitor which countries are adopting these more privacy-invasive technologies, as countries more predisposed to dissent suppression and other digital authoritarian practices could easily abuse then. Two Significant Case Studies OSAC has received inquiries from the private sector regarding digital contact tracing apps that host governments are mandating for employees. According to MIT Technology Review’ COVID-19 Tracing Tracker, 25 countries currently have significant automated contact tracing efforts in place, and five of those countries (Bahrain, China, India, Qatar and Turkey) mandate use of tool . Two case studies address how mandated use might impact U.S. private-sector employees operating in the world’s two most populous countries. China Color-Coded Health Passes China has rolled out a color-coded health system based on travel history and contact tracing to monitor new COVID outbreaks. While downloading the app is not mandatory, the health code is necessary to enter public places such as public transportation, residential compounds, hospitals, workplaces, or schools, or to travel domestically. If an individual…

India continues to position itself as an attractive hub for investments from foreign players with an expanding economy and a steady gross domestic product (GDP) growing annually at 7.1%. International forums have indicated that the ease of doing business in India has improved significantly. Pro-investor policies have been implanted by the government to further bolster India’s position in the international market. Through several flagship programmes, the government is striving to promote manufacturing activity locally. Foreign investment and IT-powered infrastructure continue to be developed to further enable support for logistically robust and multi-nodal networks. Emerging possibilities of growth implies risks across all sectors. Companies should expect an array of challenges in business operations in India. A lack of preparation against risk mitigation could result in financial and operational functions. The Government of India continues to make attempts at ensuring that bilateral and multilateral relations remain friendly for businesses to conduct operations. As India prepares itself, as a nation, for another round of general elections in 2019, there has emerged a certain amount of uncertainty regarding business policies and existing schemes. With the upcoming elections in 2019, it is likely that policy change may affect business continuity. A holistic risk-management strategy would assist businesses to anticipate and prepare against emerging and existing risks, thereby, allowing a company to mitigate such risks. The India Risk Survey consists of 12 risks that indicate the most significant threats to business operations and development in India. Each risk is assessed individually, which provides a deeper and more holistic understanding, based on the Pinkerton Risk Wheel. The Pinkerton Risk Wheel frames risk into four broad categories which can help understand not only the different threats that can impact business continuity, but the inter connectivity of risks as a whole. Threats categorized in one risk area ultimately can impact the other risk areas. The risks wheel is divided into four quadrants – Hazard & Event Risk (natural hazards, terrorism & insurgency, crime and fire), Operational and Physical Risk (strikes and unrest, threats to women safety, accidents and infrastructure risk), Market and Economic Risk (political and government instability, corruption, bribery, fraud, and legal regulatory risk), and Technology and Information Risk (information and cyber insecurity, intellectual property theft and business espionage). The India Risk Survey (IRS) aims to measure and quantify the different risks that organizations face when conducting operations in India. The constantly evolving nature of risks compels organizations to safeguard their operations and develop innovative strategies to predict threats. In this seventh edition, IRS 2018 aims to delve deeper into all facets of risks to identify the most prevalent threats under each risk category. Through deliberations with policy makers and industry stakeholders across sectors, each year emerging risks are also identified. The IRS 2018 states infrastructure risks, occupational hazards at workplace and legal regulatory risk as the emerging risks of 2018. In today’s time, policy makers and business leaders can truly fulfil their role by timely anticipating risks. On behalf of Pinkerton, I sincerely hope that the India Risk Survey 2018 report will assist the industry, as well as the government decision makers to assess the impact of these risks and develop preventive strategies to mitigate them. – Rohit Karnatak, Managing Director India, APAC & EMEA – Global Screening, Pinkerton Overall Risk Trends – 2018 India Risk Survey 2018 also provides the most significant threat types within each risk for a comprehensive reading of each threat-vector as part of a larger reality. The threats are interconnected and overlap across domains, sectors and geographies. In the 2018 edition, new risks have been identified on the basis of this year’s survey, which include infrastructure risk, occupational hazards at workplace, and legal regulatory risks. Information and Cyber Insecurity remains at the top position in the India Risk Survey 2018. Considering the importance of cyber critical infrastructure, the vulnerabilities attached to it remain largely underlined in the Survey. Services in India are quickly moving towards digitization. While this could be perceived as a step towards rapid development in various sectors, it also presents risks in which malicious activity can be easily carried out, posing a significant threat to sensitive data. The India Risk Survey 2018 focuses on four major risks posed by Information and Cyber Insecurity. These are data theft, compliance and regulatory incidents, cyber infrastructure attacks, and impersonations. Amongst these, data theft, phishing, and hacktivism emerged as the biggest threat. With India becoming a key destination for businesses and foreign investment, a more serious focus should be directed to create a robust security mechanism to address these challenges. Natural Hazards ranks as the second biggest risk to business operations in the India Risk Survey 2018. As per the findings, floods pose the biggest threat to business operations. Inadequate infrastructure and maintenance by concerned bodies remain a primary factor that would allow natural hazards to pose serious risks to business operations. Further, a lack of preparedness and early warning systems has contributed to making Natural Hazards a risk that should be considered with more seriousness. Outbreak of fire ranks at third position with numerous fire accidents in the current year, causing significant loss of life and property. Non-compliance with safety norms in factories and high-rises in addition to the under-equipped fire services in India has led to an alarming number of accidents year-on-year. While the government and other regulatory bodies have prescribed norms and fire safety measures, implementation and vigilance continue to be a concern. Risks that emanate from Terrorism and Insurgency show a significant drop to the fourth position. While there has been a marked decrease in fatalities, it has been found that there has also been a rise in the number of alleged terrorist attacks in the country. Left-Wing Extremism (LWE) remains a severe threat, posing security risks mainly to logistical operations. While the Islamic State (IS) has been relatively controlled on a global scale, the potential of IS sleeper cells remains a big threat. The Government of India continues to push concentrated efforts to holistically counter the threats…