BOULDER CREEK, Calif. — Since last spring, U.S. Department of Homeland Security warnings to manufacturers and infrastructure owners about industrial control systems’ vulnerabilities to cyberattack have grown increasingly dire. In October, those warnings were recast as stark realities when DHS and the FBI issued a joint technical alert confirming ICS cyberattacks against manufacturers as well as energy, nuclear, and water utilities. The breaches are part of a long-term campaign targeting small and low-security networks as vectors for gaining access to larger, high-value networks in the energy sector.

Made especially visible by May’s worldwide WannaCry ransomware attacks, the security and cybersecurity of industrial control and automation systems have become a topic that can’t safely be ignored. Yet the 2017 annual Kaspersky Lab ICS survey of cybersecurity practitioners at industrial organizations found that while half experienced at least one IT security incident in the previous year, 31 percent said ICS cybersecurity is still a low priority for senior management. Kaspersky itself late last month said it would undertake third-party security reviews of its anti-virus software after the DHS moved to bar the use of Kaspersky products by government agencies and vendors. DHS announced the move after data was stolen from a National Security Agency contractor’s home computer, which was running a version of Kaspersky AV.

The 2017 annual SANS Institute survey of ICS security practitioners found that nearly 69 percent describe the threats to their ICS as either high or severe/critical, but only 46 percent apply vendor-validated patches regularly, and 40 percent aren’t even sure whether their control systems were compromised during the previous year. On the plus side, awareness of, and budgets for, ICS security is increasing, the survey found. Yet external threats such as hacking are perceived as only slightly more dangerous than adding unprotected devices and “things” to the network.

As more devices get connected to Industrial Internet of Things (IIoT) networks, increasingly sophisticated cyberthreats originally directed at IT environments are entering operational technology (OT) environments, including ICS, said Abhi Dugar, IDC’s research director for IoT security. Those threats pose very different and potentially larger, more hazardous risks as they migrate to OT environments, where potential targets include critical infrastructure such as power grids and dams. 

NEXT PAGE: Increasing Demand for Effective Security Solutions