Malicious actors are increasingly launching digital attacks against industrial organizations. Many of these campaigns have been successful, particularly those that have targeted energy utilities and manufacturing plants. In late spring 2019, for instance, aircraft parts manufacturer ASCO temporarily suspended operations worldwide after falling victim to a ransomware attack.
It was about a month later when City Power, one of the largest electricity suppliers to Johannesburg, suffered a ransomware attack, causing some residents to lose power. News of this incident arrived several months before the Nuclear Power Corporation of India Ltd confirmed a ransomware infection on the network of the Kudankulam Nuclear Power Plant.
These attacks raise an important question: what are industrial organizations doing to protect themselves against digital threats?
To find out, Tripwire commissioned Dimensional Research to survey 263 qualified professionals who were directly responsible for the security of industrial control systems (ICS) at an energy, manufacturing, chemical or other industrial organization. These professionals’ responses reveal the extent to which concern over ICS security threats corresponds with their employer’s level of security preparedness. It also highlights certain areas where industrial organizations can improve their security defenses going forward.
Widespread Concern among ICS Security Professionals
A majority (88 percent) of ICS security professionals said they’re concerned about the threat of their organization falling victim to a digital attack. The level of concern was slightly lower among those in the automotive and transportation industry at 82 percent. However, it was near-unanimous in the energy, oil and gas sector at 97 percent.
When asked to clarify their concerns, 93 percent of survey respondents told Dimensional Research that they’re at least somewhat concerned by the potential for operational shutdowns and downtime. Survey participants said that a successful attack against their organization could produce even more serious consequences, however; two-thirds said that a catastrophic event such as an explosion was possible. This perspective is especially concerning given the fact that approximately half (48 percent) of ICS security professionals think a successful attack is inevitable unless their employer makes significant changes.
A Lack in ICS Security Investment
It would appear that some organizations have a long way to go. Just 12 percent of ICS security professionals were highly confident in their employer’s ability to address a digital attack before it affects the safety, productivity and quality of operations. This number directly corresponds to the percentage of survey participants who were concerned about digital attacks, as identified above.
One of the reasons for this lack of confidence is insufficient security investment. Half of respondents said that their organizations have not invested enough in ICS security. Even more concerningly, 23 percent of ICS security professionals told Dimensional Research that their employer had not made any investments in protecting their ICS systems over the past two years. Slightly less than that (22 percent) said that this was the case because the types of available technology of which they were aware did not address their organization’s security needs.
Needless to say, insufficient security investments have weakened the ability of industrial organizations to defend themselves against digital threats. These effects have even affected many organizations’ ability to apply the security basics in a number of key areas. For instance,
- Just over half (52 percent) of ICS security professionals stated that their organization uses an asset inventory to track more than 70 percent of their operational technology (OT) assets.
- About a third (31 percent) of participants revealed to Tripwire that they don’t have normal baselines for their OT devices.
- Slightly more than that (39 percent) admitted their organization doesn’t use a log management solution for industrial assets.
- Eighty-four percent of survey respondents said they were concerned that applying new security tools in their industrial environments could disrupt processes or operations.
The Way Forward for Industrial Organizations
Industrial organizations can address these security lapses and defend their ICS systems by investing in the security fundamentals. This process all starts with gaining visibility over their industrial environment. As Tripwire’s researchers note in the survey:
Having visibility into all of the assets on the OT network is essential to understanding where cyber risks lie in the industrial environment. Organizations should understand which devices are connected, if they are configured correctly, if they vulnerable, and if they are operating properly.
From there, organizations can look to leverage the improving level of collaboration between IT and OT teams in their efforts to apply additional security fundamentals such as security configuration management, vulnerability management and log management. Organizations can address these matters on their own, of course. Even so, they might want to consider enlisting the help of a sophisticated solutions provider that can better streamline these security efforts across every one of their customers’ industrial devices.
Learn how Tripwire’s solutions can build up your organization’s ICS security program.