Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

セイバーセキュリティの専門家たちがOTセキュリティの重大な課題に直面しています: Ponemonレポート

62% of organizations in industries relying on operational technology experienced two or more business-impacting cyberattacks in the past 24 months, according to a report from Ponemon Institute and Tenable.

If you follow cybersecurity news as avidly as we do, you already know that industrial control systems underlying critical infrastructure are vulnerable, and they are under attack. But, how bad is it? Tenable commissioned Ponemon Institute to answer this question and provide insight into past events, preparedness and future priorities. The data from 701 respondents in industries that have OT infrastructure is presented in the report, Cybersecurity in Operational Technology: 7 Insights You Need to Know. A few highlights are discussed below.

OT is not well-defended and vulnerabilities abound

Visibility into the attack surface is insufficient. Only 20% of respondents agreed or strongly agreed that they had sufficient visibility into their organization’s attack surface. This is very concerning because all security controls/processes depend on the visibility provided by comprehensive asset inventories. You are unlikely to manage and secure assets if you don’t even know about them.

Inadequate staffing and manual processes limit vulnerability management. The shortage of cybersecurity professionals has been well documented. In 2017, Forbes quoted the IS Audit and Control Association (ISACA) as predicting a global shortage of 2 million cybersecurity professionals by 2019. We are now in 2019, and I haven’t seen any data disprove ISACA’s prediction. The well-publicized cybersecurity skills shortage is exacerbated by reliance on manual processes to assess and remediate vulnerabilities.

Top impediments to effective vulnerability management

Using a five-point scale of strongly agree to strongly disagree, the following percentage of respondents agreed or strongly agreed with the below statements.


Agree/Strongly Agree

The security function of our organization has adequate staffing to scan vulnerabilities in a timely manner.


Our organization is at a disadvantage in responding to vulnerabilities because we use a manual process.


Security spends more time navigating manual processes than responding to vulnerabilities, which leads to an insurmountable response backlog.


出典:運用・制御技術の中のサイバーセキュリティ:7 Insights You Need To Know, Ponemon Institute and Tenable, April 2019.

Vulnerabilities Continue to Proliferate. The ability to assess and remediate vulnerabilities in a timely manner is extremely important. In the first 45 days of 2019, the Industrial Control System-Computer Emergency Response Team (ICS-CERT) issued 45 alerts describing vulnerabilities in industrial control systems1. These vulnerabilities apply to products from leading control system manufacturers, including ABB, AVEVA, Mitsubishi, Omron, Rockwell, Schneider Electric, Siemens and Yokogawa. That quantity is small compared to the 405 IT vulnerabilities discovered during the same period. However, staff responsible for OT security cannot put blinders on and focus only on OT vulnerabilities because IT/OT convergence means that both ICS and IT vulnerabilities can be exploited to attack critical infrastructure. 450 combined OT and IT vulnerabilities in 45 days is challenging for many organizations to assess and remediate. This velocity may or may not continue throughout the year, but even if it decreases by half, the number is challenging to manage without an automated process.

OT is under attack

According to the Operational Technology Cybersecurity Insights report, manual vulnerability management processes result in inadequate protection against cyber-attacks. The report reveals most organizations in industries that have OT infrastructure have experienced multiple cyber-attacks causing data breaches and significant disruption/downtime to business operations, plant and operational equipment. Over the past 24 months:

  • 90% have experienced at least one damaging cyberattack, and 62% have experienced two or more. These data refer to all damaging attacks, not just attacks against OT infrastructure. IT attacks are included because some can result in attackers pivoting from IT into OT.
  • 50% experienced an attack against OT infrastructure that resulted in downtime to plant and/or operational equipment.
  • 23% experienced a nation-state attack. Nearly one quarter were able to attribute an attack to a nation state. This is a serious concern due to the high level of expertise and funding nation-states can provide. Nation-states attackers are not script kiddies.

How can you move forward?

The survey reveals that 70% of respondents view “Increasing communication with C-level and board of directors about the cyber threats facing our organization” as one of their governance priorities for 2019. If this applies to you, you can reference the survey data in discussions with executive leadership as you discuss your organization’s security posture relative to OT attacks.


The report is based on a survey of 710 IT and IT security decision-makers in the following industries: energy and utilities; health and pharmaceutical; industrial and manufacturing; and transportation industries. Respondents were from the United States, United Kingdom, Germany, Australia, Mexico and Japan, and all respondents have involvement in the evaluation and/or management of investments in cybersecurity solutions within their organizations. 同レポートでは、総合的な所見をご確認いただけます。 無料版は こちらからダウンロードできます。

1Tenable Research discovered a Remote Code Execution vulnerability in InduSoft Web Studio, an automation tool for human-machine interface and SCADA systems.


Tenable のブログにご登録ください。最新の投稿にアクセスできます。

無料でお試し 今すぐ購入


30 日間無料

最新のクラウドベースの脆弱性管理プラットフォームの全機能にアクセスし、これまでにない精度で全ての資産を確認し、追跡しましょう。 今すぐサインアップしてください。


最新のクラウドベースの脆弱性管理プラットフォームの全機能にアクセスし、これまでにない精度で全ての資産を確認し、追跡しましょう。 年間サブスクリプションをご購入ください。

65 資産


無料でお試し 今すぐ購入

Nessus Professionalを無料で試す


Nessus®は、最も包括的な脆弱性スキャナです。Nessus Professionalは脆弱性のスキャンプロセスを自動化し、コンプライアンスサイクルを短縮し、お客様がITチームに専念できるようにサポートします。

Nessus Professionalを購入する

Nessus®は、最も包括的な脆弱性スキャナです。Nessus Professionalは脆弱性のスキャンプロセスを自動化し、コンプライアンスサイクルを短縮し、お客様がITチームに専念できるようにサポートします。

複数年ライセンスをご購入いただくと割引が適用されます。 拡張サポートでは 24 時間x365 日、電話、コミュニティ、チャットサポートのアクセスが追加されます。 詳細はこちらから

無料でお試し 今すぐ購入

Tenable.io Web Application Scanningを試す

30 日間無料

Tenable.ioプラットフォームの一部として最新のアプリケーション用に設計された、最新のWebアプリケーションのスキャンサービスの全機能にアクセス可能です。手作業による労力や重大なWebアプリケーションの中断なしに、脆弱性のオンラインポートフォリオを安全に高精度でスキャンします。 今すぐサインアップしてください。

Tenable.io Web Application Scanningを購入する

最新のクラウドベースの脆弱性管理プラットフォームの全機能にアクセスし、これまでにない精度で全ての資産を確認し、追跡しましょう。 年間サブスクリプションをご購入ください。




無料でお試しになれます。 セールスにご連絡ください。

Tenable.io Container Securityを試す

30 日間無料

脆弱性管理プラットフォームに統合された唯一のコンテナセキュリティ製品の全機能にアクセス可能です。コンテナイメージの脆弱性、マルウェア、ポリシー違反を監視継続的インテグレーション/継続的デリバリー(CI / CD)システムと統合し、DevOpsプラクティス、セキュリティ強化、および企業のポリシーコンプライアンスをサポート

Tenable.io Container Securityを購入する

Tenable.ioのContainer Securityは、ビルドプロセスと統合することにより、コンテナイメージのセキュリティ(脆弱性、マルウェア、ポリシー違反など)を可視化し、シームレスかつ安全なDevOpsプロセスを実現します。



無料でお試しになれます。 セールスにご連絡ください。

Tenable Luminを試す

30 日間無料

Tenable Luminを使用して、Cyber Exposureを可視化および調査し、リスクの軽減を追跡し、競合他社に対してベンチマークしましょう。

Tenable Luminを購入する


Tenable.ot のデモを予約する

組織の OT セキュリティニーズのために。