Many of the UK’s critical infrastructure firms are at risk of cyber-attack because they have failed to take account of the vulnerabilities created by integrating industrial control and corporate IT systems, according to KPMG.
The global consultancy interviewed over 300 senior IT, engineering and operations leaders in industries including utilities, energy, transport, manufacturing and construction.
The vast majority (80%) said they have already, or are planning to, merge their IT systems.
But although 83% said they were aware that control systems are more likely to be targeted as a result, over 60% claimed the organization had not taken account of the threat posed by cyber-criminals.
Almost half said their company is not investing enough in cybersecurity.
While largely theoretical, attacks on critical infrastructure are not uncommon.
In a Trend Micro report into attacks in the 25 countries of the Organization of American States earlier this year, over half (53%) of those heads of security polled claimed CNI attacks had increased since the previous year.
Over three-quarters (76%) said attacks had become more sophisticated.
It must be added that information-stealing attacks (60%) were more common than threats against industrial control systems (54%), although the latter are particularly vulnerable – often because patching is difficult due to the mission critical nature of what they do, and the fact that many run outdated operating systems.
Roy McNamara of KPMG’s Cybersecurity team recommend that before considering any IT integration, managers should conduct a full risk assessment, select the controls “most appropriate to their environment and decide whether these controls should be integrated.”
“From our experience the best results aren’t achieved from putting point solutions in place, but rather from ensuring the right culture and governance structures exist,” he told Infosecurity by email.
“Allowing the corporate and production teams to work together to identify and manage their risks on an ongoing basis throughout the production asset’s lifecycle.”
As a bare minimum, CNI firms should consider network zoning and segregation between corporate and process control environments; remote access security; system hardening; mobile media controls; third-party security; and event logging and monitoring.
“Other controls such as AV and security patching are applicable, but need to be carefully considered as the production domain has different operational priorities and risk considerations from the IT domain,” he added.
“Finally, physical and procedural security should also not be forgotten. They are essential in protecting remote systems and ensuring secure operations.”