ICS cybersecurity: A view from the field

We conducted a global survey of 359 industrial cybersecurity practitioners to learn more about perceptions and realities.

We conducted a global survey of 359 industrial cybersecurity practitioners.

Over the past few years, even mass media have been writing about industrial control systems (ICS) cybersecurity incidents with increasing frequency. Unfortunately, the problem lies not only in targeted attacks, such as BlackEnergy or Operation Ghoul, aimed at the industrial sector, but also in more common cyberthreats that do not target specific victims. The latest example is WannaCry ransomware, which was not explicitly designed to target industrial control systems yet managed to infiltrate a number of ICS networks and in some instances, led to the downtime of industrial processes.

But how are those in charge of ICS security responding to the threats? How do those cybersecurity practitioners perceive the risks, and do they have the skills to address them? How do perception and reality align? We observed a certain gap between the perception of ICS incidents inside industrial companies and the reality. That is why we, with the help of Business Advantage, conducted a global survey of 359 industrial cybersecurity practitioners. Here is what we found.

ICS cybersecurity findings

  • 83% of respondents believe they are well prepared to face an ICS cybersecurity incident. At the same time, half of the companies surveyed experienced one to five IT security incidents in the past 12 months, and 4% experienced more than six.
  • ICS security practitioners have a good sense of the realities, but they’re not convinced their feelings are shared: 31% say ICS cybersecurity is a low priority for senior management.
  • Ineffective cybersecurity costs industrial organizations $497K per year on average.
  • For the majority of ICS organizations, conventional malware remains the biggest pain point: 56% of respondents consider it the most concerning vector. Here, perception meets reality; half of all respondents had to mitigate the consequences of conventional malware last year.
  • The top three incident experience consequences include damage to product and service quality, loss of proprietary or confidential information, and reduction or loss of production at a site.
  • Half of the ICS companies surveyed admit that external providers have access to industrial control networks in their organization, widening the threat perimeter.
  • 81% of companies report increased use of wireless connections to the industrial network. It signals the end of any realistic air gap security strategy.
  • The top three most popular types of security solution are the usual suspects: antimalware, network monitoring, and device access controls. But at the same time, 54% haven’t considered vulnerability scanning and patch management, and of those that have, 41% issue patches once a month or even less frequently. As WannaCry showed, that is not a solid strategy.

Main findings

Our conclusions

Although the research shows that practitioners are aware of threats, their perceptions and responses to them indicate a need for better understanding of the nature of the threats and how to fight them. Current industrial cybersecurity strategies are largely inconsistent, with organizations putting solutions in place but not following up with strong processes, guidance, and properly implemented software.

Kaspersky Lab recommends that industrial organizations invest in their people by raising awareness of the issues and educating users to understand the threats and behaviors that put the business at risk. The skills gap can be addressed by outsourcing industrial cybersecurity-specific management to specialized external teams that understand the unique requirements of the sector.

Additionally, cybersecurity solutions developed specifically for the sector provide far more effective protection than generic solutions, which, as we’ve seen, leave at least 50% of organizations exposed to breaches.

Tips