Executive Summary

A new report from the Australian OT cybersecurity firm Secolve reveals a critical gap in the preparedness of critical infrastructure organizations. The report, titled "The State of OT Cybersecurity Training in Critical Infrastructure," surveyed senior professionals across sectors such as energy, manufacturing, water, and mining. The findings indicate that cybersecurity training for Operational Technology (OT) staff is profoundly deficient. It is often too focused on traditional IT, delivered infrequently, or overlooked entirely, fostering an immature security culture that puts essential services at risk.

Regulatory Details

While the report doesn't introduce a new regulation, its findings are highly relevant to existing and forthcoming critical infrastructure security obligations in Australia and globally. The survey highlights a widespread failure to meet the spirit, if not the letter, of regulations that require organizations to manage cybersecurity risks effectively. The core issue identified is that generic, IT-focused training does not adequately prepare staff for the unique challenges and technologies of Industrial Control Systems (ICS) environments.

Key findings from the survey include:

• 24% of organizations have never conducted OT-specific cybersecurity training.
• 21% only provide such training during employee onboarding.
• 42% of respondents described their training as too focused on IT security, making it irrelevant to their daily work.
• Only 11% found their training to be "practical" for their OT work environment.

Affected Organizations

The report's findings apply to a broad range of organizations within Australia's critical infrastructure sectors, including:

• Energy
• Manufacturing
• Water and Wastewater
• Mining
• Oil and Gas

These sectors rely heavily on OT to manage physical processes, and a failure to secure these systems can have severe consequences, including service disruptions, environmental damage, and risks to public safety.

Impact Assessment

The primary impact of deficient OT security training is a significantly increased risk of a successful cyberattack. An unprepared workforce is the weakest link in the security chain. Staff who do not understand OT-specific threats are more likely to fall for phishing attacks, mishandle portable media, or fail to recognize indicators of a compromise. The report's finding that securing remote access is a key challenge is particularly concerning, as this is a common vector for attacks on OT systems. The business impact includes potential operational downtime, costly remediation, regulatory fines, and reputational damage.

Compliance Guidance

Based on the report's findings, organizations must move beyond a check-the-box approach to security training and develop robust, OT-specific programs. A tactical implementation plan should include:

1. Develop Role-Based Training: Create distinct training modules for different roles. An engineer in a power plant needs different knowledge than a desk-based IT administrator. The training must be practical and use scenarios relevant to the specific industrial environment. This is a core component of MITRE ATT&CK Mitigation M1017 - User Training.

2. Increase Training Frequency: Cybersecurity training should not be a one-time event. Conduct regular refresher courses, workshops, and drills (such as tabletop exercises) to keep skills sharp and knowledge current.

3. Integrate Practical Exercises: Move beyond slideshows. Use hands-on labs, simulations, and even gamified platforms to give OT staff practical experience in identifying and responding to threats in a safe environment.

4. Secure Remote Access: Prioritize training on secure remote access procedures, including the use of Multi-factor Authentication (MFA), VPNs, and jump hosts. This directly addresses a key risk identified by respondents.

5. Foster a Security Culture: Leadership must champion the importance of OT security. Training should be part of a broader cultural shift where security is seen as a shared responsibility, not just a problem for the IT department.

By investing in tailored and continuous OT security training, critical infrastructure organizations can mature their security posture and build a resilient workforce capable of defending against modern cyber threats.