Industrial companies experienced at least one incident in the past 12 months, and the annual cost of an attack can be as high as $500,000, according to a new report.
What is interesting is a majority of those industrial companies said they are well prepared to handle a cyber security incident, according to the report by Kaspersky Lab.
The security firm has conducted a survey of 359 industrial cybersecurity practitioners across 21 countries, mainly from the manufacturing, construction and engineering, and oil and gas sectors.
A strong majority of the respondents (83 percent) said they were prepared to deal with cybersecurity incidents within their industrial control systems (ICS) environment, and 86 percent said they had a dedicated policy or program in place.
However, half of them have experienced between one and five security incidents in the past year, and one percent said they were hit as many as 25 times.
The potential damage from cybersecurity incidents can be considerable. The consequences of these incidents are often far greater than the associated financial losses and reputational damage. Cybersecurity incidents in an ICS environment can:
• Cost lives
• Have a long-lasting impact on the environment
• Attract fines from regulators, customers or partners who have been put at risk Result in the loss of a product or service as a result of the breach
• Companies can close down completely
“Due to the dynamic nature of cyber-attacks, there are no infallible cybersecurity systems,” said Edgard Capdevielle, chief executive at Nozomi Networks. “However, the risk can be greatly reduced by implementing a layered defense involving anomaly detection with machine learning capabilities where a baseline of industrial control systems can be established and any deviations can be alerted and acted upon. Introducing machine learning and artificial intelligence into the ICS environment is key to faster and more efficient processes for securing unique industrial networks. Finally, closely following the NIST framework and best practices can also improve the risk posture of industrial control systems as standardization helps to facilitate peer-validated security architectures, protocols and guidelines.”
The main concern for organizations are conventional malware infections, which also accounted for the highest percentage of actual incidents, according to the report.
Other areas of concern include threats from third-parties, sabotage or other damage caused from the outside, ransomware, and targeted attacks. Many are also concerned about the impact of employee errors or unintentional actions, and sabotage or intentional damage from the inside.
The companies surveyed by Kaspersky said they spent a lot of money dealing with cybersecurity incidents. The average financial loss was roughly $347,000 per year, but organizations with more than 500 employees said they spent nearly $500,000.
These costs include the bill for addressing the consequences of the incident, software upgrades, staff and training.
As for the ICS security measures taken by organizations, two-thirds of respondents said they rely on anti-malware solutions and security awareness training. Roughly half of companies also use intrusion detection and prevention systems, security audits, unidirectional gateways, vulnerability scanning and patch management, asset identification and management, and anomaly detection.
Kaspersky pointed out the move toward more advanced security technologies in favor of the traditional air-gapping is a good sign.
The report shows the main challenges of managing ICS cyber security are related to finding employees with the right skillset and finding reliable partners for implementing security solutions.
Click here to download the “The State of Industrial Cybersecurity 2017” report.