Kaspersky Lab announced a new “State of Industrial Cybersecurity 2017” survey, which found that over half (54%) of ICS companies interviewed have experienced at least one cyberattack in the last 12 months – with one-in-five (21%) experiencing two incidents in the same time frame. Overall, half of the companies surveyed experienced between one and five IT security incidents in the past 12 months.
To gain a better understanding of the issues and opportunities faced by ICS organizations today, Kaspersky Lab and Business Advantage conducted a survey of 359 industrial cybersecurity practitioners from 21 countries across the globe from February – April 2017. The research indicated a gap in the reality and perception of ICS incidents.
Organizations may not always know if there has been an attack on their control systems, either because the attack was subtle and designed to identify small weaknesses, or the existing risk controls have successfully intercepted the threat. The ICS companies surveyed are aware of the potential risk that a cyberattack will happen to their systems, with 74 percent of respondents saying they expect a cybersecurity attack on their infrastructure, but there is a misunderstanding when it comes to the priority of the risks these systems are facing.
Despite high awareness about new threats such as targeted attacks and ransomware, the biggest pain point for the majority of ICS organizations is still conventional malware. Among respondents, conventional malware and virus outbreaks were the top incident concern (56%), with threats from third parties (44%) following and sabotage, or other intentional physical damage by external actors (41%), being the third most concerning.
The findings show that there is also confusion surrounding employee errors and unintentional actions, which are far more threatening to ICS organizations. The top threats that caused incidents were conventional malware and virus outbreaks (53%), then targeted attacks (36%) and lastly, employee errors/unintentional actions following in third (29%). Human error ranks higher than actors from the supply chain and partners, and sabotage and physical damage by external actors, yet external actors are in the top three risks that ICS organizations worry about the most.
Struggling with a lack of both internal and external IT security expertise, industrial organizations admit that a lack of skill is the top concern when it comes to ICS security. The top “priority” and “main priority” for respondents is hiring ICS cybersecurity employees with the right skill (see chart below for figures). This finding is worrisome as it indicates that industrial organizations are not always ready to fight attacks, while they are certainly vulnerable to being compromised by outside and internal employee threats.
Top five security challenges indicated by ICS practitioners
Not only is there a lack of ICS cybersecurity talent in the industry, but overall, there is a major lack of information sharing and reporting among ICS companies. Incidents are considerably underreported due to limited compulsory reporting – with just a quarter of respondents claiming they have to comply with industry or government guidelines. With limited guidance and regulation in the industrial sector, only 19 percent of respondents are required to report breaches, leaving 81 percent not required. Some companies admit to withholding incident reporting to protect brand reputation; however, the majority (two thirds) of businesses said they would welcome some level of compulsory reporting. Therefore, there is a large opportunity for governments and regulators to improve industry reporting and create more transparency.
Of all of the companies that have fallen victim to a cyberattack, the average annual cumulative reported financial loss for a business affected by an ICS cybersecurity breach was $347,603, including the actual consequences of the incident and costs for software upgrades, staff and training. The financial impact on larger companies is even greater, with the annual cumulative losses for companies with 500+ employees reported to be $497,097. The majority of these larger companies (71%) have experienced between two and five cybersecurity incidents in the last 12 months.
“As cyberattacks and the growing connected environments of industrial organizations evolve, ICS organizations will continue to face new challenges, and it’s essential that their security strategies are re-assessed now before it is too late,” said Clint Bodungen, senior researcher, critical infrastructure threat analysis, Kaspersky Lab. “Preparedness among all departments in the organization – such as executive leaders, engineers, IT security teams and more – is key to protecting against cyberattacks. Businesses managing ICS environments need to put the necessary policies, procedures, technology and training in place immediately to properly manage these risks before they have an opportunity to damage the business.”
Subscribe to our newsletter for all the latest updates and special offers.
Click Here To view archive additions