Alarming Findings Reveal Critical Gaps in OT Cybersecurity Training in Australia

Serious Concerns in OT Cybersecurity Training

A staggering 24% of organizations involved in critical infrastructure and industrial activities have never engaged in Operational Technology (OT) cybersecurity training, according to a recent report by Secolve. This alarming statistic raises significant questions regarding the preparedness of Australian industries to combat potential cyber threats.

Secolve, acknowledged as one of Australia’s foremost authorities in OT cybersecurity, conducted the survey among senior professionals across varied sectors—including energy, manufacturing, mining, and oil & gas. The findings reveal a troubling culture surrounding OT security in these fields, with many organizations exhibiting a lack of initiative when it comes to training their staff adequately.

Deficiencies in Training
The report highlighted that only 21% of respondents received OT-specific training during their onboarding, showcasing a critical gap in ongoing education in this vital area. More distressingly, a mere 11% of those surveyed described their training as practical and relevant to their work environments. A significant 42% perceived their training as overly focused on traditional IT cybersecurity, raising doubts about its applicability in often hazardous operational settings.

Secolve’s CEO, Laith Shahin, articulated his concerns about the state of training: "OT cybersecurity training is infrequent, weak, and generic. It's nonsensical to apply a one-size-fits-all approach in balancing safety and cybersecurity training across distinct job functions. Engineers, technicians, and miners face unique challenges that IT personnel do not, thus requiring tailored training that speaks directly to their needs."

The report emphasized that in an era where industries are prime targets for cybercriminals and with a growing number of interconnected devices in operational environments, the lack of adequate training poses a severe risk to operational integrity and safety.

Identifying Key Risks
While respondents did recognize key OT risks—such as ensuring remote access security, monitoring control systems for suspicious activity, and managing risks regarding USB and removable media—confidence in addressing these risks appears low. Just 55% of individuals expressed confidence in their staff's ability to identify and report suspicious behavior, and a mere 15% characterized their organization’s OT security awareness culture as strong.

Shahin asserted: "The immaturity of OT cybersecurity coupled with inadequate training is alarming but hardly unexpected. Although organizations are beginning to acknowledge the importance of OT cybersecurity as a priority, most remain rooted in outdated, compliance-oriented, IT-centric training models."

For a genuine evolution in cybersecurity training, Shahin advocates for approaches rooted in role-specific, scenario-based, and continuous learning.

Blueprint for Improvement
To enhance the situation, Shahin emphasized the urgency of adopting more dynamic training methodologies within these organizations. Specifically, he proposed the introduction of gamified learning experiences that weave cybersecurity education into daily operations and safety protocols. By doing so, organizations would not only improve their awareness but also foster a culture of proactive security practices among employees.

About Secolve
As a leading OT cybersecurity firm in Australia, Secolve partners with enterprises to fortify critical infrastructures against cyber threats. By implementing bespoke strategies and comprehensive training programs, Secolve aims to cultivate a culture of cyber awareness and responsibility, ensuring that every worker, irrespective of their role, feels empowered to safeguard their digital environment effectively.