Around 70 percent of industrial companies consider a cybersecurity attack on their Operational Technology and Industrial Control Systems likely, a survey found. However it was astonishing that despite this knowledge many have not defined their own outlook to implementing better cybersecurity.
The survey, which was conducted by ARC Advisory Group, was on the state of cybersecurity of Industrial Control Systems. It was to understand the measures and processes involved in the prevention of cyber-incidents in industry.
Cybersecurity is the protection of internet-connected systems, including hardware, software and data, from cyberattacks. Together with physical security it is used to protect against unauthorized access to data centers and other information systems.
According to the survey, interviews with industry experts have shown that there is an increased awareness of the need for securing Operational Technology and Industrial Control Systems. Many respondents also said that internal security trainings have become more frequent.
Regarding the nature of cybersecurity threats they expected, more than half of the respondents of the survey said health and safety and prevention of damage to production equipment was their highest priority. In a general list of priorities, adopting OT/ICS cybersecurity was high on the list of industrial priorities.
According to many of the interviews conducted by the survey team, the real challenge could be the human element. While there are new training courses prescribed for various employees, many security managers have said that employees usually fall back into old patterns of behaviour that could endanger the cybersecurity of the enterprise if regular training courses are not held.
The survey also showed that it is not easy to find ICS cybersecurity experts who have adequate OT knowledge. This essentially means that facilities are threatened by the fact that there are too few ICS security experts. It is not easy to bring in external experts to make recommendations either, since there are not enough reliable providers available. The only way to deal with this situation is to make new training opportunities a reality for everyone, to have more skilled personnel in the enterprise, else the situation could worsen.
“ICS cybersecurity is often seen as a project that is completed on a target date. Then all protection measures are tested and installed. This assumption is wrong because the protective measures must be tested again and again depending on the threat situation.” a Russian production company was quoted as saying.
While the survey finds that more than 80 percent of the industrial companies surveyed have stated that operational technology cybersecurity is a high priority, only 31 percent have actually implemented an incident response program. While 37 percent of companies have said they will implement the program in the next 12 months, it still remains a worrying situation because it essentially means that a cyberattack and its aftermath could be mishandled.
To ensure industrial companies put the appropriate measures in place, IEC 62443 describes procedures for handling a cyberattack which should be implemented as soon as possible.
IEC 62443 is the global standard for the security of Industrial Control System (ICS) networks and helps organizations to reduce both the risk of failure and exposure of ICS networks to cyber threats.
Another interesting part of the survey was the behavioral psychology of companies that confirmed something that has been obvious all along. Companies that have well defined OT/ICS cybersecurity processes believe that other organizations also have well-defined processes, while companies that don’t have clearly defined processes felt the entire industry is yet to catch up.
This could actually mean that how a company approaches cybersecurity often reflects their view of the entire industry. Similarly, around 41 percent companies said they had not experienced a cyber incident within the last year. This is lower than the previous year; however, it could be a relatively positive experience for the industry as a whole because it means that the higher use of intrusion detection solutions today may expose more cyber incidents than were visible in the past. In the previous year’s survey around 51 percent of companies had said they had not experienced a recent cyber incident.
Many companies have accepted that its own workers could pose a security threat. This could most likely be unintentional. There have been instances of unintentional actions by employees that could lead to disruption in Industrial Control Systems disruptions. This was described as being due to lack of awareness about new digital automation systems.
Ongoing training rather than one off training programs is the main way to ensure that employees stay updated with the latest in OT/ICS automation systems and other related systems procedures. Training of personnel was stated to be an important way to keep security intact and an important security measure.
Attacks that have gone undetected could also be the reason people are not taking cybersecurity seriously enough, some experts said.
“Many companies overestimate their installed security measures. Just because no cyber-incidents have been observed over a long period of time does not mean that none have taken place. Perhaps the attacks are just not detected,” an oil & gas Company was quoted as saying
However, conventional malware attacks are still being seen even with automation. Although more and more targeted attacks on companies are being observed, the danger from classic malware attacks is still present. For example, in 2019, a metallurgy company had to shut down for a week after a ransomware attack. According to the company’s financial report, costs for the system backup and production downtime amounted to more than €50 million.
Ransomware can be devastating to companies. It is a type of malicious software, or malware, designed to deny access to a computer system or data until a ransom is paid. Ransomware typically spreads through phishing emails or by unknowingly visiting an infected website.
This actually means that even with the latest technology an attack can occur if personnel are not trained to identify threats and attacks. Even with the most up-to-date cybersecurity systems in place, a vulnerable spot still remains and is the person or people handling the systems.
“We discovered that insider threats are not viewed as seriously as external threats, like a cyberattack. But when companies had an insider threat, in general, they were much more costly than external incidents. This was largely because the insider that is smart has the skills to hide the crime, for months, for years, sometimes forever.” Larry Ponemon, Founder of the Ponemon Institute, a research “think tank” dedicated to advancing privacy, data protection and information security practices said.
Efficiently dealing with cybersecurity challenges that could occur in the future is something every company should not just prioritize but also act upon. It means that companies must adjust their current strategies and think ahead. They should make important decisions about personnel, cybersecurity technology and budget with this in mind.
Industrial companies need to up their game if they want to prevent new threats from emerging and having to deal with the consequence of cyber-attacks. This includes offering advanced OT/ICS cybersecurity training courses, including the configuration and maintenance of OT security components or a process to introduce advanced patch management.
2019 could likely be the year of digitization in OT automation. Companies will use digital methods to further improve their competitiveness. This could also bring in new possibilities of threats and the number of threats on OT automation could increase further.
Knowing the most vulnerable area of the enterprise and then giving it maximum attention is also important. Identifying the vulnerable areas is just as important as protecting it, some experts said.
For example in the past, Elon Musk has said that his top cybersecurity concern was preventing a fleet-wide hack of Teslas. Companies realizing exactly which area of cybersecurity they should provide their maximum attention to and budget allocation to, could also help in the long term.