In 2020 ARC Advisory Group on behalf of Kaspersky conducted a survey on the state of industrial cybersecurity, as well as the current priorities and challenges of industrial organizations. More than 330 industrial companies and organizations across the globe were surveyed online and 10 industry representatives were interviewed at trade fairs and ARC forums worldwide.
This report explores the results of the survey and analyzes the worldwide status quo and future development with regard to industrial cybersecurity. The report also examine how the industrial companies changed their cybersecurity priorities because of the COVID-19 pandemic. This trend study is annual and follows the 2017, 2018 and 2019 reports.
How the pandemic impacted cybersecurity
- Many companies have changed the way they operate as a result of the pandemic, with 30% of respondents confirming that they have been operating with a remote workforce. This became a stress test for cybersecurity processes. As a result, 14% of organizations said they revised their cybersecurity concepts, and only seven percent stated that their cybersecurity strategy was sufficient during the pandemic. The increase in the number of remote workers drove up the number of OT network scan attempts during the pandemic. The result was that companies recognized the need to supplement cybersecurity procedures during exceptional situations.
Cybersecurity maturity model in the age of digitalization
- Many companies expect certain benefits from digitization, such as improved efficiency. This is certainly possible, but interconnected digital devices influence the OT topology, so well-known ICS cybersecurity maturity models must be upgraded. 55% of respondents confirmed that their OT networks are checked for security issues at least once a year or more often. This suggests that the important principles for basic cybersecurity protection are in place. Furthermore, 44% stated that they work daily on cybersecurity initiatives for digital transformation.
Key ICS cybersecurity drivers
- In many companies today, the deployment of cybersecurity budgets is decided in interdisciplinary teams. The reason for this is the complexity of ICS. The best way to find suitable protection measures is to consult experts from different fields. These include experts from IT, ICS, safety and production. 67% of respondents confirmed that such a team has more and more influence on cybersecurity decision-making.
Gaps during cybersecurity implementation
- In the age of digitalization, communication inside OT networks often changes. It is therefore advisable to review security gaps in an OT network regularly. In particular, if a security vulnerability is discovered, why is the gap closed with a time delay, and are there regional differences? The most frequently mentioned reasons why a vulnerability cannot be closed quickly are undesired production stoppages (34%), approvals taking too long (31%) and too many decision-makers involved (23%).
- Companies should appoint a responsible person to ensure that the identified security vulnerabilities are eliminated in a timely manner. These vulnerabilities represent a great risk and make it easy for attackers to manipulate.
Typical ICS cyberthreat challenges in 2020
- As is the case every year, accidentscaused by hazardous substances and deaths (32%) are globally recognized as the biggest challenges for ICS cybersecurity. For example, fatal accidents can happen in a company if safety systems are manipulated or switched off by cyberattackers. Naturally, these must be avoided at all cost. The points mentioned after are surprising: ‘damage of service quality’ and ‘loss of confidential information’, together with ‘mitigation costs’ are also seen as major challenges. This is different compared to last year’s survey, in which ‘mitigation costs’ played a subordinate role. This could be explained by the fact that incident mitigation now requires special, and sometimes external, expensive resources. At the same time, management is increasingly demanding more up-to-date cybersecurity as it becomes clearer how often companies are attacked, what a cyberattack can cost, and the effect of any resulting negative press.