Although they acknowledge the rising risks of connectivity, many industrial organisations are failing to put practical steps in place, to improve the security of their operational technology
The trend for digitalisation, including increased connectivity and IoT, is growing among industrial organisations such as power plants, manufacturers, and water treatment centers, which rely on industrial control systems (ICS) for their operations. It’s a trend that comes with acknowledged cybersecurity dangers – 65% of companies believe that ICS security risks are more likely with IoT. Yet, Kaspersky Lab has also unearthed a contradiction among the industrial community. The company has found that many organisations are keen to boost the efficiency of their industrial processes with new IT, and although they are investing in security for their IT networks, they are leaving the doors to their operational technology (OT) wide open. This is allowing basic threats such as ransomware and malware to step right in and catch them out. These, and other findings, have been unveiled today in Kaspersky Lab’s ‘State of Industrial Cybersecurity 2018’ report.
Industrial businesses at a crossroads: automation efficiency vs cybersecurity concerns
The convergence of IT and operational technology (OT), the wider connectivity of OT with external networks, and the growing number of Industrial IoT devices, is helping to boost the efficiency of industrial processes. However, these trends bring growing risks and points of vulnerability, leading industrial organisations to feel unsafe – over three quarters (77%) of companies believe their organisation is likely to become the target of a cybersecurity incident involving their industrial control networks.
Organisations are leaving a gap in the way they approach cybersecurity in their IT and OT/ICS networks. Even though they have an understanding of the risks associated with increased digitalisation, they are not putting the right cybersecurity practices in place to protect their operational networks. 51% of industrial companies claim that they were not affected by any cybersecurity incidents in the last year. With half of the research respondents working in the IT department, this finding suggests that IT managers may be unaware of incidents happening within their own industrial control systems – perhaps because they lack a unified approach to their organisation’s overall cybersecurity. There is also room for better integration between IT and OT cybersecurity – a fact highlighted by the discovery that 48% of organisations admit they have no measures in place to detect or monitor if they have suffered an attack concerning their industrial control networks.
These attacks could lead to catastrophic circumstances, including damage to products, loss of customer confidence and business opportunities, or even environmental damage and loss of production at one or multiple sites. For those that have been the victim of at least one ICS cybersecurity incident over the past 12 months, 20% say the financial damage to their business has increased, giving a further incentive to invest in better cybersecurity systems.
Risks perception vs reality: breached by employee mistakes
Despite the awareness and dedicated spend on advanced IT security in the sector, the OT systems of industrial organisations are still getting caught out by conventional and mass malware attacks. While concern has grown around the risk of targeted attacks, almost two-thirds (64%) of companies experienced at least one conventional malware or virus attack on their ICS in the last 12 months. 30% of companies suffered a ransomware attack and a quarter (27%) had their ICS breached due to the errors and actions of employees. Targeted attacks affecting the sector accounted for just 16% in 2018 (down from 36% in 2017), suggesting that the concern and reality around the risks of targeted attacks is misplaced, and that companies relying on ICS are still falling victim to more conventional threats, including malware and ransomware, as well as targeted attacks.
“In today’s digital age, it’s more important, now than ever before, for businesses to realise the true value of cybersecurity. Many organisations are adopting digital trends such as cloud and IoT to improve efficiencies – and it’s positive to see that an increasing amount of firms are also improving their cybersecurity strategies. This includes dedicated measures for safeguarding industrial control networks – a particularly crucial aspect for businesses to protect. However, technology is evolving all the time, which means that businesses need to keep up with the rapidly evolving pace of digitalisation. This includes updating incident response programs to cover specific ICS actions and continuing to use dedicated cybersecurity solutions to help meet the challenge,” says Adam Maskatiya, General Manager for Kaspersky Lab UK.
Future challenges: IoT and cloud
The adoption of Industrial Internet of Things and cloud-based systems have added a new security dimension into the mix, which is proving a challenge for industrial businesses. For over half of companies (54%), the increased risks associated with connectivity and the integration of IoT ecosystems is a major cybersecurity issue for the year ahead, as well as the implementation of measures to manage it.
With companies investing in further smart technologies and automation, and the adoption of industry 4.0, the trend for connectivity and IoT is only going to increase. Indeed, when it comes to cloud deployment, 15% of industrial organisations already use cloud solutions for SCADA control systems, with a further 25% planning to implement these in the next 12 months. This is leading to a considerable drive towards using cloud for the high-level management of critical infrastructure.
It is therefore vital that cybersecurity measures keep up with the rate of technology adoption, to ensure that the rewards outweigh the risks for the organisations involved. Businesses need to take ICS incident response programs more seriously, to avoid risking severe operational, financial and reputational damage. Only by developing a specific incident response program and using dedicated cybersecurity solutions to manage the complex nature of the connected and distributed industrial ecosystems, can businesses keep their services and products, customers and environment safe.