90% of ICS ‘damaged’ by cyberattacks in last two years

No longer just ‘theoretical’. Ponemon report sheds light on the ongoing damage caused by cyber attacks across connected industry.
5 April 2019

Control panel. Plant for the production of steel. Source: Shutterstock

When we discuss the ‘cybersecurity threat’, our perception of its scale can be skewed by a massive volume of attempted breaches— not just the smaller number that successfully hit their intended target.

In contrast, a newly-released report by Tenable and the Ponemon Institute shines a new and stark light onto the problem, finding that a massive 90 percent of Industrial Control Systems (ICS) have been ‘damaged’ by cyber attacks in the last two years.

The study was based on a global analysis of more than 700 respondents from organizations in the critical infrastructure sector.

These are businesses— across energy & utilities, health & pharma, industrial & manufacturing, and transportation— that are dependent on ICS and other operational technology (OT).

Going further, the report found that just under a third (62 percent) had suffered two or more attacks, while around half of successful attacks overall had resulted in downtime of critical systems— either as a direct result of the attacks or because operators had to turn off systems to repair or mitigate damage.  

On the report, Tenable’s senior director of strategic initiatives, Eitan Goldstein, said: “OT professionals have spoken — the people who manage critical systems such as manufacturing plants and transportation almost unanimously state that they are fighting-off cyberattacks on a regular basis.”

The report has been regarded as a wake-up call for industries that often under-report the extent to which they are subject to, and affected, by cybersecurity breaches, with staff often required to keep details secret for security reasons.  

A lack of visibility across the “attack surface” was the biggest complaint cited among respondents (80 percent)— not knowing what systems are part of their IT environments means they are powerless to protect it in the face of an onslaught of attacks.

But respondents also felt a lack of staff (61 percent) and overreliance on manual processes (55 percent) limits their ability to manage vulnerabilities, while 70 percent are struggling to communicate the scale of the problem to executives and board members.

“These are multiple, successful attacks on the physical world using cyber-technologies,” Goldstein told the BBC, adding that the risk “isn’t just theoretical anymore.”

Goldstein added that it’s thought increased connectivity to ICS is behind the rise in attacks.

“Today we want to be able to do analytics and predictive maintenance in our power plants, but the proliferation of smart devices and sensors and IoT is really increasing our cyber-exposure to attack,” he said.

“In many cases, organizations don’t even know what is connected to the internet and what can be accessed by hackers.”