Human error a big risk to ICS cyber security, study shows

Employee errors or unintentional actions were responsible for 52% of incidents affecting operational technology (OT) and industrial control system (ICS) networks in the past year, a study shows.  

This highlights the need for organisations to invest in dedicated security measures and employ suitably qualified professionals to make them work effectively, according to the State of industrial cybersecurity 2019 report by security firm Kaspersky.

Many industrial companies are planning for digitisation of industrial networks and adoption of Industry 4.0 standards, with 81% seeing operational network digitisation as an important or very important task for this year, the survey of 282 organisations and 20 industry representatives around the world shows.

However, the survey report said that despite all the benefits of connected infrastructure, there are associated cyber security risks.

While cyber security is becoming a top priority for industrial companies according to 87% of respondents, only 57% have the allocated budget for industrial cyber security, the survey shows.

In addition to budget constraints, there is also a question over skilled staff, the report said, noting that organisations are not only experiencing a lack of cyber security experts with the right skills to manage protection for industrial networks, but are also worried that their OT/ICS network operators are not fully aware of the behaviour that can cause cyber security breaches.

These challenges make up the top two major concerns relating to cyber security management and go some way to explaining why employee errors cause half of all ICS incidents, the report said.

In almost half of companies (45%), the employees responsible for IT infrastructure security also oversee the security of OT/ ICS networks, combining this task with their core responsibilities. This approach may carry security risks, the report warned.

Although operational and corporate networks are becoming increasingly connected, specialists on each side can have different approaches and goals when it comes to cyber security, the survey showed.

“This year’s study shows that companies are seeking to improve protection for industrial networks,” said Georgy Shebuldaev, brand manager, Kaspersky industrial cyber security. “However, this can only be achieved if they address the risks related to the lack of qualified staff and employee errors.

“Taking a comprehensive, multi-layered approach – which combines technical protection with regular training of IT security specialists and industrial network operators – will ensure that networks remain protected from threats and that skills stay up to date.”

In addition to a technical and awareness boost for industrial cyber security, the report said organisations need to consider specific protection for industrial IoT (internet of things) devices that can become highly connected externally.

The survey showed that almost half of companies (41%) are ready to connect their OT/ICS network to the cloud, using preventive maintenance or digital twins.

Jesus Molina, chairman of the Industrial Internet Consortium’s (IIC) Security Working Group, said the study demonstrates that the growing interconnection between IIoT edge devices and cloud services continues to stand as a security challenge.

“It was a major driver for the creation of the IIC’s IIoT Security Framework, as well as the subsequent best practices documents and recent IoT Security Maturity Model,” he said.

Further underlining the importance of recognising the security implications of human error, a freedom of information (FoI) by security firm Egress has revealed that of the 4,856 personal data breaches reported to the Information Commissioner’s Office (ICO) in the first half of 2019, 60% resulted from human error.

Of those incidents, nearly half (43%) were the result of incorrect disclosure, with 20% posting or faxing data to the incorrect recipient. Of all data breaches, nearly one-fifth (18%) were reported in healthcare.

Tony Pepper, CEO at Egress, said: “All too often, organisations fixate on external threats, while the biggest cause of breaches remains the fallibility of people and an inherent inability of employees to send emails to the right person.”

Pepper noted that not every insider breach is the result of reckless or negligent employees, but the presence of human error in breaches means organisations must invest in technology that works alongside the user to mitigate the insider threat, he said.

The statistics further compound findings from the Egress Insider data breach survey 2019, which showed that 95% of IT leaders are concerned about insider threat.

The research also showed that 79% of IT leaders believe that employees have put company data at risk accidentally in the past 12 months, while 61% believe they have done so maliciously.