Fifty-four percent of ICS companies suffered at least one cyberattack in the last 12 months – with 21 percent experiencing two incidents in the same time frame, a new report found.
Overall, half of the companies surveyed experienced between one and five IT security incidents in the past 12 months.
To gain a better understanding of the issues and opportunities faced by ICS organizations, Kaspersky Lab and Business Advantage conducted a survey of 359 industrial cybersecurity practitioners from 21 countries from February – April 2017. The research indicated a gap in the reality and perception of ICS incidents.
Organizations may not always know if there has been an attack on their control systems, either because the attack was subtle and designed to identify small weaknesses, or the existing risk controls have successfully intercepted the threat.
ICS companies surveyed are aware of the potential risk a cyberattack could occur on their systems, with 74 percent of respondents saying they expect a cybersecurity attack on their infrastructure, but there is a misunderstanding when it comes to the priority of the risks these systems are facing.
Despite high awareness about new threats such as targeted attacks and ransomware, the biggest pain point for the majority of ICS organizations is still conventional malware. Among respondents, conventional malware and virus outbreaks were the top incident concern (56 percent), with threats from third parties (44 percent) following and sabotage, or other intentional physical damage by external actors (41 percent), being the third most concerning.
The findings show there is also confusion surrounding employee errors and unintentional actions, which are far more threatening to ICS organizations. The top threats that caused incidents were conventional malware and virus outbreaks (53 percent), then targeted attacks (36 percent) and lastly, employee errors/unintentional actions following in third (29 percent). Human error ranks higher than actors from the supply chain and partners, and sabotage and physical damage by external actors, yet external actors are in the top three risks that ICS organizations worry about the most.
Struggling with a lack of internal and external IT security expertise, industrial organizations admit a lack of skill is the top concern when it comes to ICS security. The top “priority” and “main priority” for respondents is hiring ICS cybersecurity employees with the right skill. This finding is worrisome as it indicates industrial organizations are not always ready to fight attacks, while they are certainly vulnerable to being compromised by outside and internal employee threats.
Not only is there a lack of ICS cybersecurity talent in the industry, but overall, there is a major lack of information sharing and reporting among ICS companies. Incidents are considerably underreported due to limited compulsory reporting – with just a quarter of respondents claiming they have to comply with industry or government guidelines. With limited guidance and regulation in the industrial sector, only 19 percent of respondents are required to report breaches, leaving 81 percent not required. Some companies admit to withholding incident reporting to protect brand reputation; however, the majority (two thirds) of businesses said they would welcome some level of compulsory reporting. Therefore, there is a large opportunity for governments and regulators to improve industry reporting and create more transparency.
Of all of the companies that have fallen victim to a cyberattack, the average annual cumulative reported financial loss for a business affected by an ICS cybersecurity breach was $347,603, including the actual consequences of the incident and costs for software upgrades, staff and training. The financial impact on larger companies is even greater, with the annual cumulative losses for companies with 500+ employees reported to be $497,097. The majority of these larger companies (71 percent) have experienced between two and five cybersecurity incidents in the last 12 months.
“As cyberattacks and the growing connected environments of industrial organizations evolve, ICS organizations will continue to face new challenges, and it’s essential that their security strategies are re-assessed now before it is too late,” said Clint Bodungen, senior researcher, critical infrastructure threat analysis, Kaspersky Lab. “Preparedness among all departments in the organization – such as executive leaders, engineers, IT security teams and more – is key to protecting against cyberattacks. Businesses managing ICS environments need to put the necessary policies, procedures, technology and training in place immediately to properly manage these risks before they have an opportunity to damage the business.”
Click here for more details about the report.