ICS security at risk in key verticals, report shows

Understaffing

Understaffing was identified as one of the top reasons that industrial organisations struggle to keep ICS networks secure.

The report found that the task of protecting industrial networks often falls to those providing corporate information security.

In 40% of manufacturing organisations, ICS protection is the responsibility of corporate IT security officers, while in transport and logistics companies, only 58% said ICS safety is provided by a dedicated team working full time to combat threats.

Industrial organisations, especially those with complex technological processes, need highly specialised, qualified employees to fill the gap, the report said. It cited the energy sector as an example, where 61% of respondents said hiring employees with the relevant skills is the main challenge to managing national critical infrastructure with the help of ICS.

Underfunding

In many enterprises, IT security is a priority for senior management, but the survey found that in more than half (54%) of manufacturing companies, top management has little to no involvement in ICS protection issues, which results in underinvestment.

The survey shows that 66% of manufacturing firms do not have a dedicated budget for providing security of critical infrastructure. This position remains unchanged, even in the event or risk of an incident, with 17% of manufacturing organisations not considering this a sufficient enough reason to invest in ICS security.

The human factor

The consequences of employee errors pose a critical threat to half of all organisations in all sectors, the report said, noting that this is not surprising, given that after ransomware and other malware, it is the most common reason for security incidents in ICS.

However, the study found that companies are aware of this problem and are trying to solve it by training personnel and creating rules of behaviour on critical infrastructure objects, with 82% of organisations saying they have already implemented training for employees, contractors and suppliers.

Countermeasures

Depending on the industry, organisations have different assessments concerning the damage caused to their business by cyber threats, the report found.

For transport and logistics companies that build their business based on a service model, the most negative impact is losing customer confidence (75%). But for the majority of manufacturing enterprises (66%) and energy companies (73%), their biggest concern is compromising the quality of production due to a cyber attack.

Whatever the most feared consequences for industrial organisations, the report said the only way to prevent or lessen the effect of an attack is to put in place robust safety measures and procedures for ICS networks.

Monitoring and timely responses to incidents on industrial networks should become key IT security priorities, the report said, along with educating and arming staff on how to minimise the risks to their business.

“We tend not to think of an employee weakness as a reason for posing a threat to a business. However, our research has found that accidental actions are having an impact on the failure or complete shutdown of production processes,” said David Emm, principal security researcher at Kaspersky Lab.

“The consequences of this may be both financial and reputational, so it’s important enterprises recognise this factor, and put in place robust safety measures and procedures to prevent this,” he said.