Although the majority of industrial organisations believe they are well-prepared for cybersecurity incidents, this confidence may be not well-founded. Every second, ICS companies experienced between one and five incidents last year, according to a survey conducted by Kaspersky Lab. On average, ineffective cybersecurity costs industrial organisations up to $497,000 per year. The emerging industry 4.0 trend is making cybersecurity a top priority for industrial organizations globally, adding new challenges to dealing with ICS. Challenges include the convergence of IT and operational technology (OT), and the availability of industrial control networks to external providers. To get more insight into the problems and opportunities faced by ICS organisations today, Kaspersky Lab and Business Advantage have conducted a global survey of 359 industrial cybersecurity practitioners from February–April 2017. One of the survey's main findings is a gap between the reality and perception of ICS incidents. For example, despite 83% of respondents believing they are well-prepared to face an OT/ICS cybersecurity incident, half of companies surveyed experienced between one and five IT security incidents in the past 12 months, and 4% experienced more than six. This raises an important question—what should be changed in these organisations' IT security strategies and protection means, so that they can protect their critical business data and technology processes more efficiently? ICS companies are well aware of the risks they're facing. 74% of respondents believe there may be a cybersecurity attack on their infrastructure. Despite high awareness about new threats such as targeted attacks and ransomware, the biggest pain point for the majority of ICS organisations is still conventional malware, which tops the list of incident experience concerns, with 56% of respondents considering it to be the most concerning vector. In this case, perception meets reality; every second respondent had to mitigate the consequences of conventional malware last year. But there is also a mismatch surrounding employee errors and unintentional actions, which are far more threatening to ICS organisations than actors from the supply chain and partners, as well as sabotage and physical damage by external actors. Meanwhile, the top three incident experience consequences include damage to the product and service quality, loss of proprietary or confidential information, and reduction or loss of production at one site. 86% of organisations surveyed have got an approved and documented ICS cybersecurity policy aimed to safeguard them from potential incidents. However, incident experience proves that a cybersecurity policy alone is not enough. Struggling with a lack of both internal and external IT security expertise, industrial organizations admit that a lack of skills is the utmost concern when it comes to ICS security. This is extremely worrisome, as it indicates that industrial organizations are not always ready to fight attacks, while they are constantly at the edge of being compromised—sometimes by their own employees. On the positive side, the security strategies adopted by ICS practitioners look quite solid. The majority of companies have already given up on using air gap as a security measure, and instead are adopting comprehensive cybersecurity solutions. "They [companies] need a solid understanding of the threat landscape, well-considered protection means, and they need to ensure employee awareness," said Andrey Suvorov, head of Critical Infrastructure Protection at Kaspersky Lab. "With cyber threats on the ICS shop floor, it is better to be prepared. Security incident mitigation will be much easier for those who have leveraged the benefits of a tailored security solution built with ICS needs in mind."
