The importance of industrial cybersecurity is increasing because industrial cyber-attacks are becoming more widespread and global in nature. It is essential that industrial organizations identify and assess risks. They must put in place the necessary policies, procedures and staff training to manage industrial cybersecurity risks. The result will be to reduce the likely impacts that any breaches may have on their organization.
Business Advantage conducted an independent research study of ICS/OT (Industrial Control Systems/Operational Technology) cybersecurity professionals. The purpose was to understand their attitudes and to identify the most important cybersecurity issues affecting their organizations.
359 interviews took place in 21 countries. Of the companies interviewed, 56% were manufacturers, 19% were in construction and engineering and 11% in oil and gas. The remaining 14% were from utilities and energy, government or public sector, real estate, hospitality and leisure and defense.
All participants had some responsibility for making ICS cybersecurity decisions and half held ultimate responsibility.
Our research found that industrial cybersecurity issues happen in ICS environments on a constant basis.
Certain organizations such as oil and gas companies have “critical infrastructure” with specific risk models. This is due to the essential and sensitive nature of their industrial processes and infrastructure.
Other organizations, for example manufacturers of machinery and industrial products, utilize different industrial processes that are seen as “non-critical” infrastructure and processes.
Regardless of the essential nature level of infrastructure and processes, the results of a cyber attack are expensive and can create high-profile fallout. It is essential that all companies are alert to the potential risks to their ICS security.
Attitudes within Non-Critical Infrastructure Organizations
As risks continue to emerge in the field of ICS cybersecurity, knowledge of those risks is still growing. Businesses need to keep up-to-date on the latest threats and risks.
It is especially interesting to look at the attitudes towards ICS cybersecurity within organizations with non-critical infrastructure. They are not as heavily regulated as companies with officially “critical” infrastructure and processes. Therefor, they have more independence on the decisions related to how to protect (or not to protect) their industrial network and whether or not to report breaches.
How Breaches Happen
Industrial cybersecurity threats are all around and they come in many guises. These threats can be as simple as an industrial floor worker using an industrial PC for personal purposes such as Internet browsing. This simple act can have an impact on the control system which in turn can lead to the shutdown of manufacturing processes.
In some instances, these threats can also be highly sophisticated, planned and targeted attacks. Some sophisticated attacks are designed specifically to jump over the air gap and access the industrial network.
Frequency and Cost of Breaches in Cybersecurity
As industrial cyber-attacks become more widespread and global in nature, it’s essential that industrial organizations identify and assess risks. In this global research study, we found that:
- Over half the companies interviewed experienced at least one cybersecurity incident in the last 12 months
- The average annual reported financial loss for a business affected by an ICS cybersecurity breach was $347,603
- Larger companies (with 500+ employees) reported an annual cumulative loss of just under $500,000 when affected by a cybersecurity breach
- Of those larger companies, nearly three-quarters (71%) reported that they have experienced between 2 and 5 cybersecurity incidents in the last 12 months
Anticipation of Attacks
Three out of four companies (74%) expect an ICS cybersecurity attack to happen to them.
However, the approaches taken to manage industrial cybersecurity are unstructured and could be improved. Some of the reasons stated for the challenges managing industrial cybersecurity risks are…
- Companies are struggling to find the right staff and external support to help them manage and reduce their industrial cyber risks
- For 50%, finding employees with the right skills to manage ICS cybersecurity is a “priority”, and a “main priority” for 15% of those businesses
- Finding reliable partners able to implement solutions is a struggle for 48% of businesses, with 13% listing it is a “main priority”
- “Non-critical” industrial organisations (such as machinery manufacturers) do not have a mandatory requirement to report security breaches. This means around 22% of these businesses we interviewed did not report any incidents at all, while a third had reported only some of the breaches. With limited compulsory reporting, there can be a tendency to withhold at least some incident reporting to protect brand reputation.
The Coping Strategy:
Although most organizations (83%) say they feel prepared to manage those risks, our research indicates that that confidence may be overly optimistic.
While some companies state they have security solutions set up, these are unlikely to be effective across many businesses unless the specialized solutions are deployed and robust processes and clear guidance and training are in place.
The measures taken by the better-prepared organizations to improve their overall cyber risk management framework and to better secure their ICS include:
- Having documented and approved cybersecurity policies and programs in place
- Testing their procedures
- Understanding how to identify potential weaknesses and risks around ICS security
- Implementing a range of security measures
- Conducting security assessments/audits of ICS and control networks
- Installing a unidirectional gateway between control systems and rest of network
- Running vulnerability scans and issue patches every week or two
- Installing anti-malware solutions for industrial endpoints
- Using industrial anomaly detection tools
- Running intrusion detection and prevention tools
- Providing staff and contractors with regular security awareness training
Clearly, the results of this research show there is a great deal of work to be done to ensure that industrial companies are protected as well as possible against the increasing risk of cybersecurity breaches in their ICS environments.
Industrial cybersecurity incidents happen frequently – over half of the sample had experienced at least one incident in the last 12 months. But despite awareness of and claimed readiness for infractions, companies are often underestimating both the source and impact of such incidents. It’s essential that steps are taken to identify the risks to ICS environments. By putting rigorous policies and procedures in place to manage risks, companies put themselves in the best possible position to secure their operational technology.
True cybersecurity starts with people:
- Training – Companies conducting regular security awareness programs for staff, contractors and partners typically experience less financial loss than those that don’t. Investing in cybersecurity awareness for all staff is critical in the ‘war’ against industrial cyber risks.
- ICS Security Professionals – Having skilled and trained ICS security profession als who understands the needs of the two worlds of ICS and cybersecurity is extremely important for any modern industrial organization. Where such talent does not exist within an organization, it is essential that this critical resource is outsourced.