The human factor can still put industrial processes at risk, according to a cyber security company. Employee errors or unintentional actions were behind about half, 52pc of incidents affecting operational technology and industrial control system (OT/ICS) networks last year. According to a Kaspersky report “State of Industrial Cybersecurity 2019”, this issue is part of a wider, more complicated context. The growing complexity of industrial infrastructures demands more advanced protection and skills. But, organisations are experiencing a shortage of professionals to handle new threats and low awareness among employees.
Digitalisation of industrial networks and adoption of Industry 4.0 standards are in the pipeline for many industrial companies. Four out of five organisations (81pc) see operational network digitalisation as an important or very important task for this year. However, for all the benefits that connected infrastructure brings, there are associated cybersecurity risks. OT/ICS cybersecurity is becoming a top priority for industrial companies, as confirmed most (87pc) of respondents. But to achieve the necessary level of protection, they need to invest in dedicated measures and have highly qualified professionals to make them work effectively, according to the cyber firm. Despite stating it as a priority, only just over half of companies (57%) have the allocated budget for industrial cybersecurity.
As for skilled staff, organisations are not only experiencing a lack of cybersecurity experts with the right skills to manage protection for industrial networks, but are worried that their OT/ICS network operators are not fully aware of the behaviour that can cause cybersecurity breaches. These challenges make up the top two major concerns relating to cybersecurity management and go some way to explaining why employee errors cause half of all ICS incidents — such as malware infections — and also more serious targeted attacks.
For near half of companies (45pc), the employees responsible for IT infrastructure security also oversee the security of OT/ ICS networks, combining this task with their core work. Such an approach may carry security risks: although operational and corporate networks are becoming increasingly connected, specialists on each side can have different approaches (37pc) and goals (18pc) when it comes to cybersecurity.
Georgy Shebuldaev, Brand Manager, Kaspersky Industrial Cybersecurity says: “This year’s study shows that companies are seeking to improve protection for industrial networks. However, this can only be achieved if they address the risks related to the lack of qualified staff and employee errors. Taking a comprehensive, multi-layered approach – which combines technical protection with regular training of IT security specialists and industrial network operators – will ensure networks remain protected from threats and skills stay up to date.”
