Introduction
The technological advancements in manufacturing and industrial technology have ushered in a new era of interconnectivity between OT and IT systems. As this transformation gains momentum, the criticality of securing OT environments has grown, leading to an upswing in investment in OT cybersecurity. Heightened executive awareness of the cyber threat to OT and expanding regulation have further driven investment in securing these systems. However, the impact of these macro drivers is not uniform across all regions. A closer analysis of global OT security revenue per capita highlights geographical variations in the presence and influence of these drivers.
Macro Trends underpinning greater OT cybersecurity investment remain strong
Despite challenging global economic conditions, expenditure on OT cybersecurity has continued to increase. There are three main drivers of this growth in investment: digital transformation, regulation, and changing attitudes to risk management.
The growing interconnectivity among OT devices, systems, and processes has facilitated the digital transformation of industrial operations, increasing demand for cloud computing services, data analytics, digital twins, and machine learning. Convergence between IT and OT has further accelerated this trend, facilitating seamless integration and data exchange between two previously isolated environments. The new digital asset owner is characterised by higher levels of interoperability and collaboration, enabling process optimisation and productivity gains. However, the benefits of digital transformation need to be managed alongside the increased exposure to IT & OT vulnerabilities, which requires new cybersecurity policies, processes, and procedures to ensure the resilience of future operating models.
Regulation continues to influence procurement decisions. Enforcement efforts are strengthening, regulation is expanding to cover more industry sectors with a focus on supply chain resilience, and there is a growing requirement for higher security levels. Examples in the United States include both CISA’s Binding Operational Directive 23-01 and TSA Directive SD 1580/82-2022-01 (which became enforceable in 2023), and OMB M-22-09 which focusses on establishing Zero Trust in Federal operated infrastructure. The NIS2 directive will be enforceable in every EU country from 2024 and has been expanded to include key manufacturing sectors, increasing the directive’s coverage of the EU’s economic base from 21% to 36%. Critical Entities Resilience Act (CER) compliments NIS2 with the goal of improving resilience to all threats, whether accidental or from a natural disaster. Similarly, Australia, India, Japan, and Canada have all recently launched new regulation or are in the process of reviewing whether current policy is fit for purpose.
The final contributing factor to increased investment is heightened executive awareness of OT risk due to widely reported ransomware incidents impacting industry peers. This has resulted in improved governance and a focus on cybersecurity resilience. Research from Orange Cyberdefense highlights that the manufacturing sector was the most attacked industry sector in 2022, due in part to its large size, and from an attacker perspective its relative attractiveness (manufacturing CVSS scores are 33% higher than the global average). This research also highlights that 58% of incidents result from internal errors and misconfigurations. As such, asset owners need to protect against external threats but also closely monitor internal processes.
Investment in OT cybersecurity differs across regions
Despite the strong investment drivers, investment in OT cybersecurity differs significantly by country. There is a strong correlation between OT cybersecurity investment and economic wealth.
Figure 1: OT Security Revenue Per Capita
Figure 1 illustrates global OT cybersecurity expenditure per capita. The data reveals patterns that shed light on the factors driving the OT security expenditure of firms in different countries.
Firstly, in countries with a strong manufacturing base, the level of digital maturity within the manufacturing sector impacts the level of expenditure on OT security. The World Economic Forum’s assessment of the digital maturity of various industry sectors in Figure 2 helps to provide a perspective on how the type of manufacturing industry impacts regional expenditure. Countries like Germany, South Korea and Japan, that host highly advanced and digitally mature manufacturing sectors such as automotive, aerospace and medical technology, tend to have more mature cybersecurity programs and higher investment in OT cybersecurity. By contrast, firms in countries with less digitally mature manufacturing segments, like textiles, food and beverage, and footwear, generally exhibit lower levels of investment in OT security.
Figure 2: Digital Maturity of Industry Sectors
For countries with a significant natural resource base, the existence of strong regulation is the leading driver of OT cybersecurity expenditure. By and large, the more economically advanced a country is, the stronger and more extensive the regulations concerning cybersecurity tend to be, particularly in critical industries such as energy generation and utility distribution. As a result, asset owners in advanced economies are compelled to invest heavily in OT cybersecurity relative to countries that lack a strong regulatory framework. Hence advanced economies with significant energy exports, such as Canada or Norway, have some of the highest levels of OT security expenditure per capita.
In countries where natural resources are of high importance to the nation’s economy, but regulation is weaker, there can still be significant investment in OT cybersecurity. Firms in wealthier countries like Qatar, the United Arab Emirates and Saudi Arabia recognise the economic importance of protecting their natural resource-based operations. Despite the weaker regulation, National Oil Companies (NOC) in these countries invest heavily in cybersecurity to protect their operations and have a higher level of OT cybersecurity expenditure per capita.
In summary, figure 1 highlights the correlation between OT cybersecurity expenditure and a countries’ industrial base and wealth. The countries categorised as Very High and High are where a significant majority of OT cybersecurity expenditure is concentrated in 2023.
Concluding
Despite an increased focus and growing investment on managing industrial cyber threats, OT cybersecurity maturity remains low, even in advanced economies. Nevertheless, due to the three investment drivers: digital transformation, regulation and changing attitudes to risk management, WA expects maturity to increase significantly over the next decade. This has already started in Advanced Economies characterised by high levels of digitalisation and regulation, and in petroleum exporting economies, and will slowly expand to emerging economies.
Westlands Advisory’s latest insight, ‘Industrial Cybersecurity Industry Analysis’ is available now. The analysis includes interviews with CISOs responsible for OT, industry OEMs, technology vendors, Systems Integrators and MSSPs. The report includes both a qualitative discussion of the industry trends, a quantitative analysis of expenditure by technology, country and industry segment, and an assessment of future scenarios.
Contact us to discuss the report or for more information: info@westlandsadvisory.com