Humans throw a spanner into cybersecurity’s works
More than half of cybersecurity breaches involving industrial computer networks happen because of employee errors, a recent survey has found
Despite automation, the human factor continued to put industrial computer networks at risk, according to a recent international study by cybersecurity specialist Kaspersky Lab.
Following a survey of 282 industrial organisations across the globe, Kaspersky said in its recently released report – titled State of Industrial Cybersecurity 2019 – that employee errors or unintentional actions had been the cause of 52 percent of security incidents denoted by respondents.
The report added that the growing complexity of industrial computer networks – including operational technology and industrial control systems (OT/ICS) – demanded advanced protection and skills, but low awareness among employees regarding cybersecurity concepts and a shortage of professionals to handle new developments remained problematic for many of the organisations surveyed.
While 81 percent of respondents indicated that digitalisation of industrial networks and adoption of Industry 4.0 standards were seen as important or very important tasks for this year, only 57 percent had allocated budgets to implement cybersecurity measures to protect the systems they would implement.
The survey revealed that, in addition to budget constraints, few respondents had faith in the skills of their OT/ICS operators to manage the networks. “Most of the organisations are experiencing a lack of cybersecurity experts with the right skills, and are also worried that their OT/ICS network operators are not fully aware of behaviour that can cause breaches in cybersecurity.
“These challenges make up the top two major concerns relating to cybersecurity management and go some way to explaining why employee errors cause half of all ICS incidents – not only malware infections, but also more serious, targeted attacks,” the report said.
In almost half of the organisations surveyed – 45 percent – employees responsible for IT infrastructure security also managed security concerning OT/ICS networks, combining the tasks with their core responsibilities.
“Such an approach may carry security risks: although operational and corporate networks are becoming increasingly connected, specialists on each side can have different approaches to security,” the report noted.
Georgy Shebuldaev, Kaspersky’s brand manager for industrial cybersecurity, said while the study showed that companies were seeking to improve protection for industrial networks, the goal could be achieved only if risks related to the lack of qualified staff and employee errors were addressed.
“Taking a comprehensive, multi-layered approach – which combines technical protection with regular training of IT security specialists and industrial network operators – will ensure networks remain protected from threats and skills stay up to date,” he said.
Commenting on the report, Jesus Molina, chairman of the Industrial Internet Consortium’s security working group, warned that in addition to a technical and awareness boost for industrial cybersecurity, organisations needed to consider specific protection for Industrial Internet of Things (IIoT). “Almost half of the organisations surveyed – 41 percent – say they are ready to connect their OT/ICS networks to the cloud, using preventive maintenance or digital twins.
“However, the growing interconnection between IIoT edge devices and cloud services will bring its own set of security challenges,” he predicted.
In a statement, Kaspersky Lab pointed out that the company had a dedicated portfolio of solutions and services to address the challenges facing industrial organisations. “Kaspersky Industrial CyberSecurity combines protection for industrial endpoints and networks to deal with threats at operator and network level in ICS environments, with advanced-threat intelligence and incident-response services.
“It also provides training and a specially designed awareness programme for cybersecurity experts and OT managers/ICS operators,” the statement concluded.