Half of global companies that run industrial control systems (ICS) suffered between one and five security incidents in the past year despite the vast majority (83%) claiming to be well prepared to face down attacks, according to Kaspersky Lab.
The AV vendor polled over 350 industrial organizations around the world and found ineffective cybersecurity costs them up to $497,000 (£383,000) per year.
Despite confidence in their ability to deal with incidents, 74% said they thought a cyber-attack will happen and over half (55%) admitted that third parties can access their industrial control network.
The biggest security concern for most of the organisations surveyed was conventional malware (56%) rather than advanced targeted attacks or ransomware.
Security challenges are compounded by the fact that half of industrial organizations can’t hire the right security professionals.
The global cybersecurity skills shortage is set to extend to 1.8 million by 2022, a 20% increase since 2015, according to the latest stats released by the Center for Cyber Safety and Education.
Two-thirds (66%) of respondents reported claimed they already don’t have enough workers to address current threats.
“The growing interconnectedness of IT and OT systems raises new security challenges and requires a good deal of preparedness from board members, engineers and IT security teams. They need a solid understanding of the threat landscape, well-considered protection means and they need to ensure employee awareness.” said Andrey Suvorov, head of critical infrastructure protection at Kaspersky Lab.
“With cyber threats on the ICS shop floor, it is better to be prepared. Security incident mitigation will be much easier for those who have leveraged the benefits of a tailored security solution built with ICS needs in mind”.
A recent Trend Micro study revealed that major vulnerabilities exist in the Human Machine Interface (HMI) element of SCADA systems.
On the plus side, many of the bugs in the key areas of memory corruption (20%), credential management (19%), authentication issues (23%) and code injection (9%) are easily fixable.
However, manufacturers are lagging behind.
The report claimed it takes SCADA vendors on average 150 days to release security patches, leaving their customer exposed for around a month longer than for popular software like Windows and Adobe Flash.