IoT security a concern, but most companies don’t have a way to detect attacks on ICS

Industrial organizations say cybersecurity is a priority, even while most expect to become a target of a cybersecurity incident. But how big of a priority can it be if nearly half of the companies surveyed admitted in a recent survey to not having any measures in place to even detect or monitor if their industrial control networks suffered an attack?

It seems everyone wants in on the Internet of Things (IoT) — and that desire for connectivity includes power plants, water treatment centers, and manufacturers — even though 65 percent of surveyed companies acknowledged that Industrial Control Systems (ICS) security risks are more likely with IoT.

Nevertheless, organizations want to bump up the efficiency of their industrial processes with new IT. They are pouring money into security for IT networks, while also boosting automation efficiency by connecting their operational technology (OT) with external networks — this despite 77 percent believing their organization is likely to become a target of a cybersecurity incident involving their industrial control networks.

Those are but a few insights into the concerns of 320 global professionals, across 23 countries, with decision-making power on OT-ICS cybersecurity. They were surveyed by Pierre Audoin Consultants (PAC) on behalf of Kaspersky Lab; the results can be seen in Kaspersky’s State of Industrial Cybersecurity 2018 report (pdf).

More than half of the industrial companies, 51 percent, claimed they did not suffer a breach or cybersecurity incident in the past 12 months. While that seems like good news, Kaspersky Lab wondered if the companies would even have known if they were attacked, as 48 percent of the organizations admitted to having no measures in place to detect or track attacks.

It is worth noting that 8 percent answered that they honestly don’t know how many cybersecurity incidents tied to OT/ICS or control system networks occurred in the last year, while 10 percent can’t be bothered to measure the number of incidents and breaches.

Operational technology wide open to attack

Even though a majority of the organizations are beefing up security on the IT side, they are leaving the doors to their OT “wide open,” which allows “basic threats such as ransomware and malware to step right in and catch them.”

In fact, the survey revealed that organizations’ perceived risks are not always the actual pain points.

What do organizations that rely on ICS fear? Sixty-six percent of the surveyed companies fear targeted attacks and APTs, 65 percent are concerned about conventional malware, 64 percent are worried about ransomware attacks, and 59 percent are concerned about data leaks and spying.

What really caused security incidents? Kaspersky noted that “almost two-thirds (64 percent) of companies experienced at least one conventional malware or virus attack on their ICS in the last 12 months. Thirty percent of companies suffered a ransomware attack, and 27 percent had their ICS breached due to the errors and actions of employees. Targeted attacks affecting the sector accounted for just 16 percent in 2018 (down from 36 percent in 2017), suggesting that the concern and reality around the risks of targeted attacks is misplaced — and that companies relying on ICS are still falling victim to more conventional threats, including malware and ransomware, as well as targeted attacks.”

A few other tidbits that seem to jump off the page included 16 percent of the companies opted not to report any breaches or incidents that occurred in the last year, and only 23 percent are compliant with mandatory industry or governmental regulations or guidance.