Content, Content, Vertical markets

Industrial Control Providers Can’t Find Managed Security Specialists, Study Finds


Some 50 percent of operational technology/industrial controls systems (OT/ICS) companies can’t find suitable managed security services providers and partners to implement cybersecurity solutions, a new study said.

What’s more, nearly 60 percent consider it a “major challenge” to recruit and hire skilled ICS security pros, according to specialist Kaspersky in its second annual State of Industrial Cybersecurity 2018 trends analysis. The data are based on a survey of 320 professionals worldwide with decision-making responsibilities on OT/ICS cybersecurity, supplemented by 12 expert interviews.

In an absence of top flight ICS knowledgeable security pros, OT/ICS firms have taken to handling cybersecurity internally, the report said.

“We have an in-house team that takes care of ICS cybersecurity. It is challenging to hire a cybersecurity professional, because there are very few and you should have a specific type of cybersecurity professional. There are software professionals who do a lot of penetration testing and reverse engineering,” a U.S.-based energy and utility company told Kaspersky.

Budget isn’t the problem -- allocating the necessary funds to upgrade cybersecurity is an issue for only 37 percent of the companies surveyed, the least challenging item in terms of cybersecurity management, the study’s results showed.

ICS and Cybersecurity Needs: A Closer Look

There’s a lot to this report. Here are some of the top line points:

  • About 75 percent consider OT/ICS cybersecurity a major priority. The problem is they don’t take the necessary measures to protect themselves from hackers.
  • Roughly 75 percent believe that they are very likely or at least quite likely to become a target of a cybersecurity attack. Nevertheless, only 23 percent are compliant with minimal mandatory industry or government guidance and regulations for ICS security.
  • More than half did not experience any incident or breach in the past 12 months. (There's some question, however, if they would even have recognized it.)
  • Most that experienced OT/ICS cybersecurity incidents or breaches it hit their bottom line.
  • The maturity of ICS/OT cybersecurity remains low although the level is rising.
  • Collaboration with IT is a critical factor in OT/ICS cybersecurity.

More Bits and Bytes

And, here's some granularity:

On expectations:

  • 77% rank cybersecurity as a major priority.
  • 32% believe it is very likely that they will be targeted by attackers.
  • 65% expect a higher likelihood of cybersecurity risks due to the Internet of Things.

On incidents:

  • 10% do not measure the number of incidents and breaches.
  • 51% did not experience any incident or breach in the last 12 months.
  • 64% experienced a conventional malware and virus attack in the last 12 months.
  • 54% of those who experienced an incident in the last 12 months suffered damage to their products or services.

On the bottom line:

  • 20% experienced an increase in financial costs and damage related to incidents.

On investments:

  • 52% see past incidents and breaches as a major driver of future investments.

On incident response:

  • 77% have implemented an incident response program for IT security and 19% are planning to do so in the next 12 months.
  • 89% have either implemented a specific OT/ICS incident response program or plan to do so in the next 12 months.

On security awareness and compliance:

  • 88% have implemented security awareness programs or plan to do so in the next 12 months.
  • 85% have implemented cybersecurity compliance programs or plan to do so within 12 months.

The Bottom Line

Despite all the activity, there’s still a lot of OT/ICS cybersecurity work left to do.

"For most of the technology-oriented measures for OT/ICS cybersecurity, it can be said that what was planned in 2017 has not been realized,” Kaspersky wrote in the report. “Anti-malware and antivirus are standard solutions (implemented by 97% of the companies surveyed), as well as application protection (91%). Other technology-oriented measures are still not implemented at all companies. Even though these technologies are a given in traditional IT cybersecurity, in OT/ICS cybersecurity they are less often in use,” the security provider said.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.