A quarter of industrial and critical infrastructure organisations have never conducted OT cybersecurity training, according to new research from Secolve, which warns that Australia’s OT security culture remains weak and immature.
The report surveyed senior professionals across energy, manufacturing, water, mining, oil and gas, and critical infrastructure supply chains. It found that OT cybersecurity training is often non-existent, outdated or overly focused on IT, despite the rapid rise of internet-connected devices in industrial environments and the growing frequency of cyberattacks targeting critical systems.
Twenty-four per cent of respondents said they had never undertaken OT-specific training, while 21 per cent said training was only provided during onboarding. Just 11 per cent described their training as practical for their work environment, and 42 per cent said it was too focused on IT rather than OT realities.
“OT cybersecurity training is infrequent, weak and generic,” said Secolve CEO Laith Shahin. “Engineers, technicians and miners work in hazardous environments surrounded by tech, powerful robotics and large autonomous machines. Many will get OT cybersecurity training in their first week, then never again. Some will never have OT cybersecurity training at all, and will simply have the same IT training as their desk job colleagues. Frankly, it’s utterly non-sensical to give the same cybersecurity training to people regardless of whether they work behind a desk, in a mining pit, from a factory floor, or energy plant. Training them all the same is like not training them at all.”
Respondents identified their top OT risks as securing remote access and third-party connections, detecting suspicious behaviour in control systems, and managing risks related to USB and removable media. Yet confidence in frontline readiness remains low: only 55 per cent were confident that frontline staff could identify and report suspicious activity, and just 15 per cent described their organisation’s OT security awareness culture as strong.
“The immaturity of OT cybersecurity and lack of training is alarming, but hardly surprising. OT cybersecurity is still incredibly immature in Australia,” Shahin said. “Organisations are starting to recognise OT cybersecurity as a priority, but most remain stuck in compliance-driven, IT-centric training models. For these organisations to mature, they must adopt continuous, role-specific, scenario-driven, and gamified learning that is integrated into daily operations and safety frameworks.”
Secolve warns that without meaningful advances in training and culture, industrial and critical infrastructure organisations will remain vulnerable to the rising wave of OT-targeted cyber threats.