NAM Leading Edge & PwC OT Benchmarking Survey 2023

At the request of NAM’s Manufacturing Cybersecurity Advisory Council (MCAC), a group of manufacturing CISOs, the NAM has partnered with PwC to conduct a survey to benchmarking survey. The goal of the survey is to quantify the current state of OT cybersecurity and provide benchmarks and goals for all manufacturers to reduce the cyber risks in the supply chain.

Please complete this survey or forward to the appropriate individual at your organization. Thank you in advance. All responses will be kept confidential and results shared in aggregate.

Question Title

* 1. Who is primarily responsible for OT security in your organization? Select one.

Chief Information Security Officer (CISO)

Chief Information Officer (CIO)

Chief Technology Officer (CTO)

Chief Operating Officer (COO)

Business Unit / Supply Chain

Manufacturing Operations

Site Leadership

Engineering

Shared responsibility among several executives

Other (please specify)

Question Title

* 2. How large is the size of the team that is 100% dedicated to OT security in your organization?

N/A

1 person

2-5 people

6-10 people

11-15 people

16 or more people

Question Title

* 3. How many individuals are allocated to support OT security as part of their overall role?

N/A

1 person

2-5 people

6-10 people

11-15 people

16 or more people

Question Title

* 4. From which department (s) or divisions budget does the bulk of funding for OT security initiatives and/or ongoing costs (e.g., Tool licenses, maintenance, etc.) come from?

Cybersecurity

Business Units

Site Leadership

Corporate Operations

Other (please specify)

Question Title

* 5. How integrated are the cyber functions between IT and OT?

Fully integrated

Partially integrated

Minimally integrated

Our IT and OT teams do not work together on cyber initiatives at all.

Question Title

* 6. Please choose which best represents the stage of OT/ICS security your organization is in currently?

Realization of the security and risk challenges that OT/ICS environment brings

Discovering assets and mapping network topology to determine the scope

Discovering and prioritizing mitigation of ICS/OT security gaps

Implementation and Integration of OT platforms into cyber controls within the OT environment

Optimization of OT/ICS security environment

Question Title

* 7. Relative to the Capability Maturity Model Integration (CMMI) levels, how mature is your OT cybersecurity program today?

Maturity Level 0 – Incomplete

Maturity Level 1 – Initial

Maturity Level 2 – Managed

Maturity Level 3 – Defined

Maturity Level 4 – Quantitatively managed

Maturity Level 5 – Optimizing

Question Title

* 8. What are the top two reasons driving your organization to expand your OT security program (Choose Top 2)?

Smart Factory/Factory of the Future/Industry 4.0

Ransomware

Experienced cyber attacks at your company

Competitors/Industry peers experienced cyber attacks

Concern from board members

Cybersecurity roadmap outlining priorities and technology requirements

Compliance with regulations or directives

Concern for safety of employees

Other (please specify)

Question Title

* 9. To what extent do the following executives have visibility into OT security risks at your organization?

	None at all	Very limited visibility	Some visibility	Full visibility
CEO and Direct Reports	CEO and Direct Reports None at all	CEO and Direct Reports Very limited visibility	CEO and Direct Reports Some visibility	CEO and Direct Reports Full visibility
VP Level Only	VP Level Only None at all	VP Level Only Very limited visibility	VP Level Only Some visibility	VP Level Only Full visibility
Engineering	Engineering None at all	Engineering Very limited visibility	Engineering Some visibility	Engineering Full visibility
Operations/Supply Chain Team	Operations/Supply Chain Team None at all	Operations/Supply Chain Team Very limited visibility	Operations/Supply Chain Team Some visibility	Operations/Supply Chain Team Full visibility
Cybersecurity Team	Cybersecurity Team None at all	Cybersecurity Team Very limited visibility	Cybersecurity Team Some visibility	Cybersecurity Team Full visibility
Information Technology (IT) / Infrastructure Team	Information Technology (IT) / Infrastructure Team None at all	Information Technology (IT) / Infrastructure Team Very limited visibility	Information Technology (IT) / Infrastructure Team Some visibility	Information Technology (IT) / Infrastructure Team Full visibility
We have opportunity to expand visibility of OT risks at the organization	We have opportunity to expand visibility of OT risks at the organization None at all	We have opportunity to expand visibility of OT risks at the organization Very limited visibility	We have opportunity to expand visibility of OT risks at the organization Some visibility	We have opportunity to expand visibility of OT risks at the organization Full visibility

Question Title

* 10. Which of the following are communicated regarding OT cyber risk to executives and boards in your organization? Please check all that apply.

Updates on the deployment of technical controls/countermeasures / progress against a roadmap

Compliance with regulations

Audit findings

Maturity scores

Qualitative risk scores

Quantitative risk scores

Other (please specify)

Question Title

* 11. What initiatives are in-flight or planned for implementation in 2023 to address your key OT security risks? (Select All That Apply)

Asset Management

Technology Refresh

Network Segmentation

Identity and Access Management (IAM)

Monitoring / Response

Patching

HBoM/SBoM

We don't have a plan to address OT security risks at this time

Other (please specify)

Question Title

* 12. Which of the following information security frameworks has your organization adopted for your OT security program? Check all that apply.

ISA/IEC 62443

NIST SP 800-82

NIST Cybersecurity Framework (NIST CSF)

ISO 27001 / ISO 27002

Industry-Specific Regulations (e.g., NERC CIP, TSA Directive)

Other (please specify)

Question Title

* 13. If you are an organization that manufactures a connected product or solution, are you considering submitting your product for certification with an industry standard?

Yes

Not applicable

Question Title

* 14. What tools are you using for OT asset and/or monitoring? Please check all that apply.

Dragos

Claroty

Armis

Nozomi

Microsoft Defender for IoT

Phosphorous

Other (please specify)

Question Title

* 15. What tools are you using for Privileged Access Management (PAM) in your OT environment? Please check all that apply.

CyberArk

Beyond Trust

Claroty Secure Remote Access (SRA)

Symantec Privileged Access

One Identity Safeguard

OEM Provided Solution

I don't use PAM in my OT environment.

Other (please specify)

Question Title

* 16. What is the composition of the resources performing OT security activities in your organization today? Please indicate the percentages; percentages must add up to 100%. (Example: for 20%, enter 20.)

Employees from IT/Cybersecurity

Employees from OT/Engineering

Contractors

Other

Question Title

* 17. Which best describes your plans for future OT security staffing?

We are increasing our in-house OT security staff.

We are relying primarily on cross-training internal cybersecurity resources to manage the OT environment.

We outsource to an external OT security entity to manage our organization’s program.

Question Title

* 18. To what extent are the following changes affecting your organization’s OT security strategy?

	Not applicable	Not at all affecting our OT security strategy	Only somewhat affecting	Very significantly affecting
Decisions around OEMs	Decisions around OEMs Not applicable	Decisions around OEMs Not at all affecting our OT security strategy	Decisions around OEMs Only somewhat affecting	Decisions around OEMs Very significantly affecting
Diversification of strategies across regions	Diversification of strategies across regions Not applicable	Diversification of strategies across regions Not at all affecting our OT security strategy	Diversification of strategies across regions Only somewhat affecting	Diversification of strategies across regions Very significantly affecting
Consolidating plants	Consolidating plants Not applicable	Consolidating plants Not at all affecting our OT security strategy	Consolidating plants Only somewhat affecting	Consolidating plants Very significantly affecting
Building new plants	Building new plants Not applicable	Building new plants Not at all affecting our OT security strategy	Building new plants Only somewhat affecting	Building new plants Very significantly affecting
Reconsidering supplier network to ensure components are cyber-secure	Reconsidering supplier network to ensure components are cyber-secure Not applicable	Reconsidering supplier network to ensure components are cyber-secure Not at all affecting our OT security strategy	Reconsidering supplier network to ensure components are cyber-secure Only somewhat affecting	Reconsidering supplier network to ensure components are cyber-secure Very significantly affecting
Looking deeper into security of connected products	Looking deeper into security of connected products Not applicable	Looking deeper into security of connected products Not at all affecting our OT security strategy	Looking deeper into security of connected products Only somewhat affecting	Looking deeper into security of connected products Very significantly affecting
Other	Other Not applicable	Other Not at all affecting our OT security strategy	Other Only somewhat affecting	Other Very significantly affecting

Question Title

* 19. If you are executing an OT IAM initiative, are you planning on using one AD domain/forest for OT or multiple AD domains in OT?

One AD Domain Forest

Multiple AD Domain Forests

We are not planning on executing an IAM initiative for OT at this time

Other (please specify)

Question Title

* 20. What is your company’s primary industrial classification?

Chemicals (includes Pharmaceuticals)

Computer and electronic products

Electrical equipment and appliances

Fabricated metal products

Food manufacturing

Furniture and related products

Machinery

Nonmetallic mineral products

Paper and paper products

Petroleum and coal products

Primary metals

Transportation equipment

Wood products

Other (please specify)

Question Title

* 21. What is your firm size (e.g., the parent company, not your establishment)?

Fewer than 50 employees

50 to 499 employees

500 to 999 employees

1,000 to 4,999 employees

5,000 to 9,999 employees

10,000 to 19,999 employees

20,000 or more employees

Uncertain

NAM Leading Edge & PwC OT Benchmarking Survey 2023

Question Title

* 1. Who is primarily responsible for OT security in your organization? Select one.

Question Title

* 2. How large is the size of the team that is 100% dedicated to OT security in your organization?

Question Title

* 3. How many individuals are allocated to support OT security as part of their overall role?

Question Title

* 4. From which department (s) or divisions budget does the bulk of funding for OT security initiatives and/or ongoing costs (e.g., Tool licenses, maintenance, etc.) come from?

Question Title

* 5. How integrated are the cyber functions between IT and OT?

Question Title

* 6. Please choose which best represents the stage of OT/ICS security your organization is in currently?

Question Title

* 7. Relative to the Capability Maturity Model Integration (CMMI) levels, how mature is your OT cybersecurity program today?

Question Title

* 8. What are the top two reasons driving your organization to expand your OT security program (Choose Top 2)?

Question Title

* 9. To what extent do the following executives have visibility into OT security risks at your organization?

Question Title

* 10. Which of the following are communicated regarding OT cyber risk to executives and boards in your organization? Please check all that apply.

Question Title

* 11. What initiatives are in-flight or planned for implementation in 2023 to address your key OT security risks? (Select All That Apply)​

Question Title

* 12. Which of the following information security frameworks has your organization adopted for your OT security program? Check all that apply.

Question Title

* 13. If you are an organization that manufactures a connected product or solution, are you considering submitting your product for certification with an industry standard?

Question Title

* 14. What tools are you using for OT asset and/or monitoring? Please check all that apply.

Question Title

* 15. What tools are you using for Privileged Access Management (PAM) in your OT environment? Please check all that apply.

Question Title

* 16. What is the composition of the resources performing OT security activities in your organization today? Please indicate the percentages; percentages must add up to 100%. (Example: for 20%, enter 20.)

Question Title

* 17. Which best describes your plans for future OT security staffing?

Question Title

* 18. To what extent are the following changes affecting your organization’s OT security strategy?

Question Title

* 19. If you are executing an OT IAM initiative, are you planning on using one AD domain/forest for OT or multiple AD domains in OT?

Question Title

* 20. What is your company’s primary industrial classification?

Question Title

* 21. What is your firm size (e.g., the parent company, not your establishment)?

* 11. What initiatives are in-flight or planned for implementation in 2023 to address your key OT security risks? (Select All That Apply)