Over half of companies operating industrial control systems (ICS) worldwide suffered between one and five IT security incidents in the last year.
The findings come from Kaspersky Lab’s 2017 The State of Industrial Cybersecurity report, which polled more than 350 industrial cybersecurity practitioners.
At the same time, the survey found that 83 percent of respondents believe they are well prepared to face attacks, while 74 percent say it’s likely that their organization will suffer an incident.
Of the companies that reported security incidents, the majority (53 percent) were caused by conventional malware and virus outbreaks, which was the top concern for the organizations interviewed.
Respondents were also mostly concerned with threats from third parties (44 percent); sabotage or other intentional external damage (41 percent); ransomware (33 percent) and targeted attacks, such as APTs (32 percent); as well as employee errors (31 percent).
“Targeted attacks were in fact the second biggest actual threat to systems and caused incidents in over a third (36 percent) of companies. Surprisingly however, they were rated as only the fifth biggest concern. While human error was the third biggest reason for all incidents (29 percent), it was rated as the sixth biggest concern indicating a gap in perceptions,” the report explained.
Furthermore, while ICS security practitioners are aware of such potential attacks, 31 percent say cybersecurity is a low priority for senior management.
The report also highlighted that companies are struggling to find the right staff and external support to help them manage and reduce cyber risks.
Other challenges of managing ICS cybersecurity included the increasing interconnectedness with corporate and enterprise IT, complexity of ICS environments and industrial networks, as well as lack of budget.
“The growing interconnected of IT and OT systems raises new security challenges and requires a good deal of preparedness from board members, engineers and IT security teams,” said Andrey Suvorov, head of critical infrastructure protection at Kaspersky Lab.
“They need a solid understanding of the threat landscape, well-considered protection means and they need to ensure employee awareness,” Suvorov said.
For additional findings, read the full report here (PDF).