Get the latest updates on the Coronavirus impact on engineers.Click Here
Cybersecurity

Cybersecurity requires asset updates

Age of existing assets are the greatest cybersecurity risk factor, 67% in 2020 Control Engineering research, up from 46% in 2016. This is of particular concern with remote operations increasing due to the COVID-19 pandemic and manufacturing starting up again.

By Mark T. Hoske June 13, 2020
Courtesy: Control Engineering 2020 Cybersecurity Research Report

Those answering the 2020 Control Engineering cybersecurity survey said, in a significant shift, the age of existing assets is the highest risk factor at 67%. In a similar 2016 cybersecurity survey, age of existing assets was 46% (third) in 2016. In 2016, the lack of appropriate technologies and lack of training or enforcement related to technologies were tied for first at 53%.

With more remote operations related to the COVID-19 pandemic, and as manufacturing retools to lower human risk while ramping up again, cybersecurity remains a concern. Data was collected Feb. 7 through March 5.

Figure 1: The greatest cybersecurity risk factors are seen to be age of existing assets, lack of training or enforcement related to technologies, lack of appropriate technologies, lack of training or enforcement related to policies, and lack of policies. Among the top five risk factors, three deal with technologies and three deal with policies (training, enforcement or policies). Note that two answers blend technologies and policies. Clearly, investments in technologies and people (policies, training and enforcement) all must be addressed to decrease cybersecurity risk. Courtesy: Control Engineering 2020 Cybersecurity Research Report

Figure 1: The greatest cybersecurity risk factors are seen to be age of existing assets, lack of training or enforcement related to technologies, lack of appropriate technologies, lack of training or enforcement related to policies, and lack of policies. Among the top five risk factors, three deal with technologies and three deal with policies (training, enforcement or policies). Note that two answers blend technologies and policies. Clearly, investments in technologies and people (policies, training and enforcement) all must be addressed to decrease cybersecurity risk. Courtesy: Control Engineering 2020 Cybersecurity Research Report

Cybersecurity research: threats, vulnerabilities, training

Threat levels: Perceived cybersecurity threats within respondents’ organizations were 3% severe and 73% high or moderate. Perceived severity remains the same within margins of error for each study: 25% high, 48% moderate, 22% low, 3% severe.

Most concerning threat: The most concerning threat to control systems is malware from a random source with no specific connection to our company or industry. The least concerning threat was an inside, intentional threat.

Greatest concern: Computer assets running commercial operating systems are the greatest concern regarding cybersecurity within the organization for 65% of respondents. The next greatest concerns were network devices and wireless communication devices.

Vulnerable components: Of the respondents, 39% said they are aware of zero malicious cyber incidents in the past 24 months while only 9% said they are aware of more than five malicious cyber incidents in the past 24 months.

Figure 2: The most concerning threat to control systems is malware from a random source with no specific connection to company or industry. The least concerning threat was an inside, intentional threat. Also among concerns are attacks to the company using an unknown network device vulnerability, attack to the company as part of a larger infrastructure disruption, theft of intellectual property, and unintentional inside threat. Courtesy: Control Engineering 2020 Cybersecurity Research Report

Figure 2: The most concerning threat to control systems is malware from a random source with no specific connection to company or industry. The least concerning threat was an inside, intentional threat. Also among concerns are attacks to the company using an unknown network device vulnerability, attack to the company as part of a larger infrastructure disruption, theft of intellectual property, and unintentional inside threat. Courtesy: Control Engineering 2020 Cybersecurity Research Report

Malicious incidents: The largest share of respondents, 40%, said cyber incidents they were aware of were accidental infections; while only 22% said were targeted in nature.

Accidental incidents: More than half of the respondents said they were allowed to report cyber-related incidents, and they did. Of the respondents, 20% said they were allowed and did not report the incident.

Incident response team: An operating operational incident response team was present in the organization for 50% of the respondents; however, about a third (34%) said their organization does not have such a response team.

Training: Training to identify things that may indicate a cyber incident or attack was received by 64% of respondents. Training regarding who to contact in the event of a cyber incident or attack was received by 50% of respondents and 49% said they receive training on identifying social engineering attacks. Training on any of these topics was not received by 14% of respondents.

Think again about opportunities for upgrades and to decrease risk with more remote workers and as more manufacturers and engineering-related businesses restart.

Mark T. Hoske is content manager, Control Engineering, CFE Media, mhoske@cfemedia.com.


Mark T. Hoske
Author Bio: Mark Hoske has been Control Engineering editor/content manager since 1994 and in a leadership role since 1999, covering all major areas: control systems, networking and information systems, control equipment and energy, and system integration, everything that comprises or facilitates the control loop. He has been writing about technology since 1987, writing professionally since 1982, and has a Bachelor of Science in Journalism degree from UW-Madison.