Critical Infrastructure Attacks Spur Cybersecurity Investment
The attacks on critical industrial systems such as Colonial Pipeline last year pushed industrial cybersecurity to center stage. And with the threat of war between Russia and Ukraine, experts warned nations that a global flare-up of cybersecurity attacks on critical infrastructure could be looming. In late January, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) put critical infrastructure organizations on notice: Take “urgent, near-term steps” to mitigate the risk of digital attacks. The alert cited tension in eastern Europe as the catalyst for possible attacks against U.S. digital assets.
Critical Infrastructure Under Attack
Unfortunately, critical systems have long been under significant attack. In fact, an overwhelming 80% of critical infrastructure organizations experienced ransomware attacks last year, according to a survey released today by PollFish on behalf of cyber-physical systems security provider Claroty. The survey, completed in September 2021, gathered responses from full-time information technology and operational technology (OT) security professionals in the United States (500 professionals), Europe (300) and Asia-Pacific (300). The industries surveyed include IT hardware, oil and gas (including pipelines), consumer products, electric energy, pharmaceutical/life sciences/medical devices, transportation, agriculture/food and beverage, heavy industry, water and waste and automotive.
Globally, 80% of respondents reported experiencing an attack and 47% of respondents said the attack impacted their operational technology and industrial control systems environment. A full 90% of respondents that reported their attacks to authorities or shareholders said the impact of those attacks was substantial in 49% of cases.
Attacking Digital Transformation
These attacks come at a time when industrial organizations are undergoing rapid digital transformation.
And ransomware, especially, hit industrial organizations hard. In the IT hardware, oil and gas, water and waste and automotive segments, 90% of organizations reported being impacted by ransomware; 87% in heavy industry and electric energy sectors said the same. Not surprisingly, the larger the organization, the more likely they were to be attacked, as that’s where the money is; a much smaller number (63%) of small and mid-sized businesses with less than $500 million in annual revenue reported being hit by ransomware.
Unfortunately for larger industrial enterprises, most suffered a substantial impact on their operations. Globally, nearly 15% endured only minimal or no impact while 36% witnessed a partial impact to a site or business function. However, 25% reported substantial impact for a week or less, 16% more than a week and nearly 8% endured significant operational shut down for more than a week.
The financial impact of ransomware attacks is high. Globally, about 60% of respondents paid a ransom and, of those who did pay a ransom, just over half paid $500,000 or more. In the U.S., more than three-quarters of respondents paid their ransom compared to 51% and 49% in APAC and Europe respectively.
The good news is that, after witnessing a number of high-profile attacks, critical infrastructure and industrial organizations are committed to making the investments necessary to better protect themselves. “On a global basis, more than half of the respondents said their organization’s C-suite and board are very involved in cybersecurity decision-making and oversight, which bodes well for ongoing investment and prioritization,” the report stated.
Additionally, more than 60% of respondents reported centralizing their operational and IT security and risk governance under the management of their CISO.
Since the Colonial Pipeline attack and the attack on meat supplier JBS last year, 54% of global respondents said that cybersecurity became a higher priority, and the same percentage said that they are increasing their investments in cybersecurity. Forty-one percent of respondents said they are implementing new or updated cybersecurity processes and controls.
Finally, more than 80% of respondents said both their IT and operational technology and industrial control systems (ICS) security budgets have increased since the start of the COVID-19 pandemic. “This widespread increase in investment is likely a direct result of executive- and board-level prioritization of cybersecurity amidst the scourge of ransomware that has disrupted operations for most industrial organizations surveyed,” the report concluded.