28 June 2018

The State of Industrial Cybersecurity 2018: findings of joint survey by Kaspersky Lab and PAC

Kaspersky Lab has published the results of The State of Industrial Cybersecurity study carried out in collaboration with PAC, a CXP Group Company, and based on a survey of 320 professionals representing companies from such sectors as manufacturing and industrial production, energy, mining, transport, and logistics. The survey was conducted in April – May 2018 in 25 countries across the globe.

There is a growing trend for digitalization among industrial organizations such as power sector enterprises, manufacturing facilities and public utilities, which rely on industrial control systems (ICS) for their operations. The convergence of IT and operational technology (OT), the wider connectivity of OT with external networks, and the growing number of industrial IoT devices help to boost the efficiency of industrial processes.

15% of industrial organizations already using cloud solutions for their SCADA systems and a further 25% planning to implement such solutions in the next 12 months. The industrial internet of things and cloud-based systems have added a new dimension to industrial cybersecurity, which is proving a challenge for enterprises.

More than half (54%) of the companies surveyed have reported that they consider the increased risks associated with connectivity and the integration of IoT ecosystems, as well as the measures required to manage these risks, to be a major OT/ICS cybersecurity-related challenge.

All these developments in connectivity come with acknowledged cybersecurity dangers: 65% of companies believe that ICS security risks are more likely with IoT. Over three quarters (77%) of companies believe their organization is likely to become the target of a cybersecurity incident involving their industrial control networks.

Even though industrial organizations have an understanding of the risks associated with increased digitalization, many of them are not adopting the cybersecurity practices that can protect their operational technology, leaving a gap between the cybersecurity of their IT networks and that of their OT/ICS networks.

51% of industrial companies claim that they were not affected by any cybersecurity incidents in the past year. With half of the respondents working in IT departments, this suggests that IT managers may be unaware of incidents affecting their enterprises’ industrial control systems – perhaps because they lack a comprehensive approach to the cybersecurity of their organizations.

48% of organizations admit they have no measures in place to detect attacks affecting their industrial control networks, even though such attacks can have disastrous consequences, including damage to equipment and products/services, the loss of customer confidence and business opportunities, or even environmental damage and loss of production at one or multiple sites. 20% of the companies that have fallen victim to at least one ICS cybersecurity incident over the past 12 months report that the financial damage to their business has increased, giving them a further incentive to invest in cybersecurity.

While concern about the risk of targeted attacks has grown, targeted attacks affecting the sector accounted for just 16% of OT/ICS cybersecurity incidents reported in 2018 (down from 36% in 2017), suggesting that the concern about the risks associated with targeted attacks is misplaced.

The OT systems of industrial organizations continued to be subjected to conventional and mass malware attacks. Almost two-thirds (64%) of those companies which reported at least one cybersecurity incident in their OT/ICS infrastructure in the past 12 months said that these incidents were caused by conventional malware. 30% of companies suffered a ransomware attack and 27% had their ICS breached due to the errors and actions of employees.

It is vital that cybersecurity measures keep up with the rate of technology adoption. Industrial companies should take ICS incident response programs more seriously to minimize the risk of severe operational, financial and reputational damage. Only by developing effective incident response programs and by deploying dedicated cybersecurity solutions to manage the security of complex connected and distributed industrial ecosystems, can businesses protect their services and products, as well as their customers and the environment.

The full text of the report can be downloaded here.