Age of existing assets are the greatest cybersecurity risk factor, 67% in 2020 Control Engineering research, up from 46% in 2016. This is of particular concern with remote operations increasing due to the COVID-19 pandemic and manufacturing starting up again.
Those answering the 2020 Control Engineering cybersecurity survey said, in a significant shift, the age of existing assets is the highest risk factor at 67%. In a similar 2016 cybersecurity survey, age of existing assets was 46% (third) in 2016. In 2016, the lack of appropriate technologies and lack of training or enforcement related to technologies were tied for first at 53%.
With more remote operations related to the COVID-19 pandemic, and as manufacturing retools to lower human risk while ramping up again, cybersecurity remains a concern. Data was collected Feb. 7 through March 5.
Figure 1: The greatest cybersecurity risk factors are seen to be age of existing assets, lack of training or enforcement related to technologies, lack of appropriate technologies, lack of training or enforcement related to policies, and lack of policies. Among the top five risk factors, three deal with technologies and three deal with policies (training, enforcement or policies). Note that two answers blend technologies and policies. Clearly, investments in technologies and people (policies, training and enforcement) all must be addressed to decrease cybersecurity risk. Courtesy: Control Engineering 2020 Cybersecurity Research Report
Cybersecurity research: threats, vulnerabilities, training
Threat levels: Perceived cybersecurity threats within respondents’ organizations were 3% severe and 73% high or moderate. Perceived severity remains the same within margins of error for each study: 25% high, 48% moderate, 22% low, 3% severe.
Most concerning threat:Â The most concerning threat to control systems is malware from a random source with no specific connection to our company or industry. The least concerning threat was an inside, intentional threat.
Greatest concern: Computer assets running commercial operating systems are the greatest concern regarding cybersecurity within the organization for 65% of respondents. The next greatest concerns were network devices and wireless communication devices.
Vulnerable components: Of the respondents, 39% said they are aware of zero malicious cyber incidents in the past 24 months while only 9% said they are aware of more than five malicious cyber incidents in the past 24 months.
Figure 2: The most concerning threat to control systems is malware from a random source with no specific connection to company or industry. The least concerning threat was an inside, intentional threat. Also among concerns are attacks to the company using an unknown network device vulnerability, attack to the company as part of a larger infrastructure disruption, theft of intellectual property, and unintentional inside threat. Courtesy: Control Engineering 2020 Cybersecurity Research Report
Malicious incidents: The largest share of respondents, 40%, said cyber incidents they were aware of were accidental infections; while only 22% said were targeted in nature.
Accidental incidents: More than half of the respondents said they were allowed to report cyber-related incidents, and they did. Of the respondents, 20% said they were allowed and did not report the incident.
Incident response team: An operating operational incident response team was present in the organization for 50% of the respondents; however, about a third (34%) said their organization does not have such a response team.
Training: Training to identify things that may indicate a cyber incident or attack was received by 64% of respondents. Training regarding who to contact in the event of a cyber incident or attack was received by 50% of respondents and 49% said they receive training on identifying social engineering attacks. Training on any of these topics was not received by 14% of respondents.
Think again about opportunities for upgrades and to decrease risk with more remote workers and as more manufacturers and engineering-related businesses restart.
Mark T. Hoske is content manager, Control Engineering, CFE Media, [email protected].
