Human error was behind over half (52%) of all cybersecurity incidents detected by Kaspersky in industrial environments last year.
The Russian AV vendor’s State of Industrial Cybersecurity 2019 report is compiled from interviews with 282 firms running operational and industrial control system technology (OT/ICS).
While the vast majority of firms (81%) are planning to digitalize their operational networks to drive Industry 4.0 initiatives, far fewer (57%) have allocated a cybersecurity budget, it found.
However, budget aside, there’s a worrying shortage of cybersecurity skills in these companies: respondents’ top two concerns centered around not having enough cybersecurity experts to manage industrial networks, and a general lack of security awareness among OT/ICS operators.
In nearly half of all cases (45%) an IT security employee also looks after OT/ICS security, but although the two spheres are converging, professionals on either side can have different goals and take alternative approaches to reaching them.
For example, in the OT world operators, traditionally focused on availability and physical safety, as equipment was largely isolated from the internet. As this changes, new approaches are needed.
“This year's study shows that companies are seeking to improve protection for industrial networks. However, this can only be achieved if they address the risks related to the lack of qualified staff and employee errors,” said Georgy Shebuldaev, manager at Kaspersky Industrial Cybersecurity.
“Taking a comprehensive, multi-layered approach — which combines technical protection with regular training of IT security specialists and industrial network operators — will ensure networks remain protected from threats and skills stay up-to-date.”
To illustrate the urgency of getting security right in industrial environments, a report from April revealed that 90% of critical infrastructure (CNI) providers have had their IT/OT environments damaged by a cyber-attack over the past two years.