Trend study "The State of Industrial Cybersecurity 2018", commissioned by Kaspersky Lab, was prepared by an independent European research and consulting firm CXP Group in June 2018. This report is based on a CATI survey of 320 worldwide professionals with decision-making power on OT/ICS cybersecurity, as well as 12 expert interviews.
Over three quarters of the companies surveyed state that OT/ICS cybersecurity is a major priority. But if companies really attribute such a high level of importance to this topic, it would be essential to carry out the associated measures in a very stringent way. This seems not to be the case in all companies.
- Over three quarters of the companies surveyed state that it is very likely or at least quite likely to become a target of a cybersecurity attack in the OT/ICS space. Despite this, only 23% are compliant with minimal mandatory industry or government guidance and regulations around cybersecurity of industrial control systems. On the other hand, the vast majority of the companies surveyed are increasing their OT/ICS cybersecurity investments or keeping them at least steady.
- More than half of the companies did not experience any incident or breach in the past 12 months. Although this seems to be a good thing at first glance, the question is whether or not they would even have recognized it. Many companies do not detect or even track attacks! Moreover, since the companies surveyed have only just started digital transformation, it can be said that the attack surface will increase along with the level of digitalization.
- For most companies that experienced OT/ICS cybersecurity incidents or breaches this had a relevant negative impact on their bottom line. If incidents or breaches occur, they have a strong negative impact, usually regarding the company’s bottom line; in the worst-case scenarios, the consequences could even mean casualties.
- Low but increasing maturity. The maturity of ICS/OT cybersecurity remains low, e.g. the way OT/ICS security is organized, but the potential impacts and liabilities make it a priority ; besides, the level of maturity is quickly rising, even if it is strongly limited by the lack of skills and collaboration.
- Collaboration between IT and OT teams is critical. Сollaboration is a critical factor for cybersecurity, even more so in OT/ICS cybersecurity. IT and OT people have different goals, processes, tools, and languages, but they must collaborate if they want to protect the OT/ICS space that is more and more blended with the IT space.