In spring 2019, ARC Advisory Group conducted a survey on the state of cybersecurity of Industrial Control Systems (ICS), as well as the priorities, concerns and challenges it brings for industrial organizations. The objective of the research was to understand the measures and processes involved in the prevention of cyber-incidents in industry.

Report explores the results of the survey and is a follow-on to previous ARC and Kaspersky surveys on ICS cybersecurity. 282 industrial companies and organizations across the globe were surveyed online, and 20 industry representatives were interviewed at trade fairs and ARC forums worldwide. The majority of responses came from companies in Europe, America and Asia. Survey respondents and interviewees work in a variety of roles in critical infrastructure; such as energy and water supply, as well as in process industries, including oil, gas and chemicals. 

Key findings: 

• Of the companies surveyed, more than 80% stated that operational technology (OT) cybersecurity is a high priority. However, only 31% have implemented an incident response program, while 37% said that such a process will be implemented within the next 12 months. 
• More than half (52%) of the surveyed companies are aware of the need to provide more resources for OT/ICS cybersecurity. Depending on the criticality of the company, a wide range of budget sizes are allocated to OT automation. This results in a highly diverse range of security protection measures and opportunities to invest in more resources, such as systems and staff (ICS experts). Whilst the budget often allows for investment on endpoint protection or OT audits, a lack of experts remains a problem for the industry and resources are not being allocated to solve it.
• How a company approaches cybersecurity often reflects their view of the entire industry. When talking to companies with well-defined OT/ICS cybersecurity processes, they believe that other organizations also have well-defined processes. In contrast, companies without clearly defined security processes believe that the entire industry needs to catch-up on how it approaches cybersecurity. 
• Around 70% of companies surveyed consider an attack on their OT/ICS infrastructure likely. Despite this, many have yet to define their own approach to implementing OT/ICS cybersecurity. 
• Four-in-ten (41%) companies surveyed stated that they have not experienced any cyber-incidents within the last 12 months, which is lower than the 51% recorded in 2018. 
• In many cases, a company’s own workers pose a security threat. Unintentional actions by employees can lead to the disruption of OT/ICS automation. This is partly due to a lack of awareness, especially regarding new digital OT automation systems. Of the companies surveyed, nearly half (48%) indicate plans to invest more in training. Ongoing rather than one-off training, is an important security measure.
   

Share: