KPMG and the Control System Cyber Security Association International (CS)2AI, a global non-profit organization for Control Systems (CS) and Operational Technology (OT) professionals, has released their first annual CS/OT Cybersecurity Report.

The study presented was based on a representative sample survey of more than 16,000 practitioners responsible for safeguarding and protecting capital investment properties and structures worth millions to billions. Their responses provide in-depth insights into the state of the CS/OT threatscape environment through various sectors, including utilities, transport, information technology services, manufacturing, hospitals, construction, and others.

“The survey reveals a clear relationship between the failure to focus on the data and metrics needed to enhance security, as well as inadequate levels of maturity for OT security programs,” said Derek Harp, Founder and Chairman of (CS)2AI. “This report, the first of multiple research products our organization is proud to initiate, offers insight into points of failure and areas of success in this industry.”

A key finding of Harp’s survey was the disclosure that less than 25% of businesses had integrated active protection for their control systems and properties.

The report’s key highlights were that 47% of organizations with more mature CS security programs use managed CS security services versus just 6% of those with less mature programs. And although 63% of those with mature programs also replace, after review, vulnerable CS hardware or software, this was also true of just 34% of those with less mature programs.

Organizations with mature CS security programs were able to conduct end-to-end security assessments more frequently. Though over half (53%) of these organizations carried out surveillance of all CS networks, only 16% of organizations with less mature systems took this step.

“Enterprise organizations continue to struggle to address cybersecurity vulnerabilities across control systems and operational technology environments, which can have a material impact on human safety and their businesses’ bottom line,” said Walter Risi, Global Cyber IoT Leader and Technology Consulting Practice Leader, KPMG in Argentina.

The CS/OT Cybersecurity report aimed to provide valuable data-driven insights to business leaders and practitioners to help them create an actionable plan.

“If businesses don’t take appropriate action soon to mitigate risks, regulators and governments will,” said Risi.