The majority (94%) of UK transport organisations have detected cyber attacks on their Operational Technology (OT) or Industrial Control Systems (ICS) in the last year, with 96% of these encountering at least one successful attack, according to new research from independent cyber security services company, Bridewell Consulting.

These findings come despite nearly three-quarters (74%) saying they are confident that their OT systems are protected from cyber threats, highlighting a degree of misplaced confidence in CNI cyber security.

The research, which surveyed 250 UK IT decision makers in the aviation, chemical, energy, transport, and water sectors, found the transport sector experienced the second highest volume of successful attacks, second to water.

Transport organisations are facing increasing risks posed by ageing legacy infrastructure that is becoming increasingly connected. The majority (74%) of transport organisations rely on OT systems that are between 6-20 years old, with over a third (36%) between 11-20 years old. Systems are also increasingly accessible with 82% confirming that their OT / ICS environments are accessible from corporate networks. While nearly half (48%) say systems are currently not accessible from the Internet, of those, 54% plan to make them accessible in the future, potentially widening the attack surface and introducing new threats.

Third party suppliers and partners are perceived to pose the lowest risk to transport organisations, despite the National Cyber Security Centre (NCSC) and revisions to the NIS Directive (NIS 2) identifying the supply chain as a significant area of risk for CNI organisations. This indicates a possible educational challenge over certain cyber threat vectors in the sector.

“The report highlights some nuances between how some organisations in the transport sector perceive their cyber security posture versus reality” says Scott Nicholson, Co-CEO at Bridewell.

“Security vulnerabilities, whilst challenging to remediate within some CNI organisations, could have serious implications, not just in terms of substantial monetary fines but also risks to public safety and even loss of life, so organisations simply cannot afford to be complacent.”

Covid-19 has also intensified cyber threats with over half (53%) of UK transport organisations experiencing increased attacks since the pandemic began. Yet over a third (36%) have reduced cyber security budgets in response. This is putting increasing pressure on IT and security teams with 96% agreeing they have felt an increasing pressure to improve cyber security controls for the OT / ICS environment in the last 12 months.

Encouragingly, all organisations are carrying out some form of security assurance activities. However, less than half (42%) carry out penetration testing and only 40% conduct red, blue or purple team exercises, vital activities that can identify vulnerabilities and reduce the likelihood of attacks.

This could be due to insufficient budgets, with budget constraints cited as the top challenge facing teams today (by 30% of respondents), followed by increased pressure to prevent cyber attacks (26%). Lack of skills is also a big concern, with less than two-thirds (62%) believing they have the right skills in place to maintain and secure their OT environment. Furthermore, 88% agree the UK’s CNI industry will be impacted by a critical cyber security skills shortage in the next 3 to 5 years.

“The transport sector shows the least confidence in having the right skills to maintain and secure their OT environment. While regulation has certainly helped to improve cyber security in the sector, it is clear there are clearly still areas for improvement. Assurance activities, such as penetration testing and red team assessments, need to be standard practice across the industry and organisations, government and industry experts need to continue to work cohesively to plug any skills gaps and mitigate risks before it’s too late,” concludes Nicholson.

The full research report “CNI Cyber Report: Risk & Resilience” can be downloaded here.