Gartner: 30% of Critical Infrastructure Organizations Will
Experience a Security Breach by 2025
December 2, 2021
2025, 30% of critical infrastructure organizations will
experience a security breach that will result in the halting of
an operations- or mission-critical cyber-physical system,
according to Gartner.
Critical infrastructure security has become a primary concern
for governments around the world, with the U.S., U.K. EU, Canada
and Australia each identifying sectors deemed ‘critical
infrastructure’, for example, communications, transport, energy,
water, healthcare and public facilities. In some countries,
critical infrastructure is state-owned, while in others, like
the U.S., private industry owns and operates a much larger
portion of it.
“Governments in many countries are now realizing their national
critical infrastructure has been an undeclared battlefield for
decades,” said Ruggero Contu, research director at Gartner.
“They are now making moves to mandate more security controls for
the systems that underpin these assets.”
A Gartner survey* showed that 38% of respondents expected to
increase spending on operational technology (OT) security by
between 5% and 10% in 2021, with another 8% of respondents
predicting an increase of above 10%.
However, this may not be enough to counter underinvestment in
this area over many years, according to Gartner.
“Besides the need to catch up, there is a growing number of
increasingly sophisticated threats,” Contu said. “Owners and
operators of critical infrastructure are also struggling to
prepare for the coming increased oversight.”
Increased risk needs holistic security approach
Over time, the technologies that underpin critical
infrastructure have become more digitized and connected — either
to enterprise IT systems and/or to each other — creating
cyber-physical systems security risks. The result has been a
substantial increase in the attack surface for hackers and bad
actors of all kinds.
In critical infrastructure sectors, organizations need to be
more concerned about real world hazards to humans and the
environment, rather than information theft. Gartner predicts
that by 2025, attackers will have weaponized a critical
infrastructure cyber-physical system to successfully harm or
recommends that security and risk management (SRM) leaders in
critical infrastructure sectors develop a holistic approach to
security, so that IT, OT and Internet of Things (IoT) security
are managed in a coordinated effort.
“SRM leaders should accelerate efforts to discover, map and
assess the security posture of all cyber-physical systems in
their environment,” said Contu. “Invest in threat intelligence
and join industry groups to stay apprised of security best
practices, upcoming mandates and requests for inputs from
*Note to editors: The 2021 Gartner IT/OT Alignment and
Integration Survey was conducted online from April -May 2021
among 401 respondents from industries in North America, Western
Europe and Asia/Pacific. Respondents were knowledgeable about
decisions of their organization’s OT-related activities.