ICS security at risk in key verticals, report shows

The security of industrial control systems (ICS) is at risk in key verticals due to under staffing, under investment and human error, a report reveals

Almost 40% of industrial control systems (ICS) faced attacks in the second half of 2017, but industrial and energy firms are finding these systems difficult to secure, according to a report by Kaspersky Lab.

Understaffing, underinvestment and the human factor are the top three challenges to keeping industrial networks secure, the security firm’s State of industrial cybersecurity 2018 survey shows.  

The resultant gaps in cyber security in critical infrastructure can significantly increase the risks for organisations, the report warns.

Despite the frequency of ICS network attacks, only 52% of companies have dedicated response measures in place to deal with such an incident, the study found.

This is in sharp contrast to corporate network security, with 77% of polled organisations indicating that they have implemented response measures for incidents affecting corporate IT.

Understaffing

Understaffing was identified as one of the top reasons that industrial organisations struggle to keep ICS networks secure.

The report found that the task of protecting industrial networks often falls to those providing corporate information security.

In 40% of manufacturing organisations, ICS protection is the responsibility of corporate IT security officers, while in transport and logistics companies, only 58% said ICS safety is provided by a dedicated team working full time to combat threats.

Industrial organisations, especially those with complex technological processes, need highly specialised, qualified employees to fill the gap, the report said. It cited the energy sector as an example, where 61% of respondents said hiring employees with the relevant skills is the main challenge to managing national critical infrastructure with the help of ICS.

Underfunding

In many enterprises, IT security is a priority for senior management, but the survey found that in more than half (54%) of manufacturing companies, top management has little to no involvement in ICS protection issues, which results in underinvestment.

The survey shows that 66% of manufacturing firms do not have a dedicated budget for providing security of critical infrastructure. This position remains unchanged, even in the event or risk of an incident, with 17% of manufacturing organisations not considering this a sufficient enough reason to invest in ICS security.

The human factor

The consequences of employee errors pose a critical threat to half of all organisations in all sectors, the report said, noting that this is not surprising, given that after ransomware and other malware, it is the most common reason for security incidents in ICS.

However, the study found that companies are aware of this problem and are trying to solve it by training personnel and creating rules of behaviour on critical infrastructure objects, with 82% of organisations saying they have already implemented training for employees, contractors and suppliers.

Countermeasures

Depending on the industry, organisations have different assessments concerning the damage caused to their business by cyber threats, the report found.

For transport and logistics companies that build their business based on a service model, the most negative impact is losing customer confidence (75%). But for the majority of manufacturing enterprises (66%) and energy companies (73%), their biggest concern is compromising the quality of production due to a cyber attack.

Whatever the most feared consequences for industrial organisations, the report said the only way to prevent or lessen the effect of an attack is to put in place robust safety measures and procedures for ICS networks.

Monitoring and timely responses to incidents on industrial networks should become key IT security priorities, the report said, along with educating and arming staff on how to minimise the risks to their business.

“We tend not to think of an employee weakness as a reason for posing a threat to a business. However, our research has found that accidental actions are having an impact on the failure or complete shutdown of production processes,” said David Emm, principal security researcher at Kaspersky Lab.

“The consequences of this may be both financial and reputational, so it’s important enterprises recognise this factor, and put in place robust safety measures and procedures to prevent this,” he said.

Read more about ICS security

  • Cyber attackers specialising in industrial control systems are fast, efficient and able to move between IT and OT environments, a study has revealed.
  • Cyber threat to industrial control systems highest yet.
  • Airbus is helping to drive the cyber security market for industrial control systems used throughout industry, including many providers of critical national infrastructure.
  • There is a pressing need to improve cyber security in industrial control system environments, according to security certification body Crest.
  • Vulnerabilities in industrial control systems commonly used by suppliers of critical national infrastructure are potentially the biggest threats to UK cyber security.

Read more on Hackers and cybercrime prevention