Although the majority of industrial organisations believe they are well-prepared for cybersecurity incidents, this confidence may not be well-founded: every second industrial control system (ICS) company experienced between one and five incidents last year, according to a survey conducted by Kaspersky Lab.
On average, ineffective cybersecurity costs industrial organisations up to $497 000 per year.
The emerging Industry 4.0 trend is making cybersecurity a top priority for industrial organisations globally, adding new challenges to dealing with ICS. Challenges include the convergence of IT and operational technology (OT), and the availability of industrial control networks to external providers. To get more insight into the problems and opportunities faced by ICS organisations today, Kaspersky Lab and Business Advantage have conducted a global survey of 359 industrial cybersecurity practitioners in February – April 2017. One of the survey’s main findings is a gap between the reality and perception of ICS incidents. For example, despite 83% of respondents believing they are well-prepared to face an OT/ICS cybersecurity incident, half of companies surveyed experienced between one and five IT security incidents in the past 12 months, and 4% experienced more than six. This raises an important question – what should be changed in these organisations’ IT security strategies and protection means, so that they can protect their critical business data and technology processes more efficiently?
Incident Experience: Cyberthreats on the Shop Floor
ICS companies are well aware of the risks they’re facing: 74% of respondents believe there may be a cybersecurity attack on their infrastructure. Despite high awareness about new threats such as targeted attacks and ransomware, the biggest pain point for the majority of ICS organisations is still conventional malware: this tops the list of incident experience concerns – with 56% of respondents considering it to be the most concerning vector. In this case, perception meets reality: every second respondent had to mitigate the consequences of conventional malware last year.
But there is also a mismatch surrounding employee errors and unintentional actions – which are far more threatening to ICS organisations than actors from the supply chain and partners, and sabotage and physical damage by external actors. Yet it’s the external actors that are in the top three of what ICS organisations worry about the most.
Meanwhile, the top three incident experience consequences include damage to the product and services quality, loss of proprietary or confidential information and reduction or loss of production at one site.
Security Strategies: From Air Gap to Network Anomalies Detection
86% of organisations surveyed have got an approved and documented ICS cybersecurity policy aimed to safeguard them from potential incidents. However, incident experience proves that a cybersecurity policy alone is not enough. Struggling with a lack of both internal and external IT security expertise, industrial organisations admit that a lack of skills is the utmost concern when it comes to ICS security. This is extremely worrisome as it indicates that industrial organisations are not always ready to fight attacks, while they are constantly at the edge of being compromised. Sometimes – by their own employees. “Internal threats are more dangerous. We are well protected against external threats, but what is done internally has a direct path without a firewall in between. The threat originates unknowingly from members of staff” – admitted an ICS practitioner from a product manufacturing plant in Germany.
On the positive side, the security strategies adopted by ICS practitioners look quite solid. The majority of companies have already given up on using air gap as a security measure, and are adopting comprehensive cybersecurity solutions. In the next 12 months, respondents plan to implement industrial anomaly detection tools (42%) and security awareness training for staff. Industrial anomaly threat detection is especially relevant as every second ICS company surveyed admitted that external providers have access to industrial control networks in their organisation, widening the threat perimeter.
“The growing interconnectedness of IT and OT systems raises new security challenges and requires a good deal of preparedness from board members, engineers and IT security teams. They need a solid understanding of the threat landscape, well-considered protection means and they need to ensure employee awareness.” says Andrey Suvorov, head of Critical Infrastructure Protection, Kaspersky Lab. “With cyber threats on the ICS shop floor, it is better to be prepared. Security incident mitigation will be much easier for those who have leveraged the benefits of a tailored security solution built with ICS needs in mind”.