.jpg "ONEKEY GmbH")
Current Study Reveals Serious Shortcomings in Industrial Cyber Security
Current Study Reveals Serious Shortcomings in Industrial Cyber Security
- Nearly half of the respondents perceive the current protective measures against cyberattacks in the industry as inadequate
- Nearly a third of the respondents lack awareness of the relevant standards and regulations
Duesseldorf, September 19, 2024 – The results of a recent survey of IT managers in German industry show that only 46 per cent believe that the economy is adequately protected against cyberattacks. Only 29 per cent of respondents claim to be fully familiar with the cybersecurity regulations and standards relevant to their industry, with a further 25 per cent saying they are not at all familiar with them. These are the key findings of the "OT+IoT Cybersecurity Report 2024", a study by Düsseldorf-based cybersecurity company ONEKEY. The report surveyed more than 300 industrial companies in the spring of 2024 on the security of operational technology (OT) and Internet of Things (IoT) devices. In addition to input from IT managers, the survey also included responses from Chief Executive Officers (CEO), Chief Information Officers (CIO), Chief Information Security Officers (CISO) and Chief Technology Officers (CTO). The report will be published on the ONEKEY website in October.
The key findings of the study can be summarised as follows: Despite the acceleration of industrial digitalisation and the increasing use of software in control systems, many manufacturers and operators appear to lack awareness of the associated cyber risks. "This is already a tangible risk for manufacturers and therefore all operators of industrial devices and infrastructure," stated Jan Wendenburg, CEO of ONEKEY.
He provides the following rationale: “For many manufacturers, identifying the most pertinent compliance regulations represents a significant challenge. Internationally, there is a lot of activity with new legislation being introduced in various countries. Examples of such legislation include the EU's new Cyber Resilience Act, the UK's PSTI, the US's Biden Act and many others. To help companies navigate the complex landscape of compliance regulations, we have developed a compliance wizard that guides organisations through a streamlined assessment of their cybersecurity posture. This assessment combines automated cybersecurity checks with the assistance of a virtual assistant, providing a comprehensive yet straightforward solution for organisations seeking to demonstrate compliance with relevant regulations. The resulting documentation can be used as evidence in future cybersecurity matters and for additional certifications, should these be required.”
Industrial Controls and IoT Devices Are Overlooked in Cybersecurity Efforts
The ONEKEY report reveals that traditional cybersecurity analysis tends to focus on computer systems and networks, with industrial control systems in machines and plants as well as Internet of Things (IoT) devices often receiving less attention. However, the majority of respondents (51 per cent) believe that the hacker community is already focusing on the misuse of machine and plant control systems and IoT devices. It is believed that cyber criminals are already exploiting these systems to gain access to corporate networks. A further quarter (23 per cent) expect an increasing number of hackers to focus on industrial control systems and the Internet of Things in their digital operations in the future.
The results indicate that approximately three-quarters of industry executives believe that there has been an increase in the targeting of industrial controllers and IoT devices by hackers. In light of these findings, it is of the utmost importance for manufacturers of these control systems and devices to prioritise cybersecurity protection.
A significant number of respondents (46 per cent) to ONEKEY's “OT+IoT Cybersecurity Report 2024” showed a lack of understanding of the critical technical standards for cybersecurity in devices, machines and systems. Only 23 per cent of respondents consider the European Union's new Cyber Resilience Act (CRA) to be relevant. However, according to the current timetable, equipment and industrial controls that do not comply with the CRA will not be allowed to be sold in the European Union after 2027.
"Given the typical development times of more than two years, it is surprising how little awareness there is of the significance of the new regulation, given that it will be in force in approximately two or three years' time," stated Jan Wendenburg. He goes on to say that non-compliance with the CRA requirements from 2027 will have significant implications for both manufacturers of devices, machines and systems and industrial users alike. It is therefore in the interests of all parties involved in Industry 4.0 to ensure a swift upgrade of cybersecurity in the OT and IoT sector to the minimum level required by law.
Limited Focus on OT and IoT Systems
The report suggests that the widespread lack of awareness of cybersecurity in the OT and IoT sector is due to the fact that the majority of organisations perceive other areas of the business to be more vulnerable to cyber threats, leading to a lack of attention being paid to industrial components. For example, 42 per cent of executives surveyed for the “OT+IoT Cybersecurity Report 2024” consider payment and financial systems to be a priority for protection against cyberattacks. Thirty-nine per cent of respondents (multiple responses were allowed) cited attacks on corporate networks and data centres as the top cybersecurity risk. Thirty-six per cent of respondents believe that hackers are targeting customer data. A significant proportion (26 per cent) of respondents were concerned about the potential interception of email communications by unauthorised individuals. A quarter of respondents were concerned about the potential loss of trade secrets and patent documents. A sizeable share of respondents (22 per cent) see cloud services as a potential gateway for hackers. Other areas identified in the survey as requiring particular protection include personalised workplace systems (16 per cent), surveillance and security systems (16 per cent), critical infrastructure and health data (15 per cent), telecommunications systems (12 per cent), web applications and websites (9 per cent), and big data and artificial intelligence systems (8 per cent).
The survey results suggest that the perceived risks related to OT and IoT are relatively low. Only 11 per cent of respondents identified production and supply chain management systems as key cybercrime targets, while just 12 per cent expect hacker attacks on IoT devices and systems. A mere 9 per cent believe that production facilities and OT systems face significant internet-based threats, with mobile apps and devices seen as the least vulnerable, at just 5 per cent.
The CEO of ONEKEY is urging industry partners to push their suppliers to adopt strong cybersecurity measures for devices, machines, and systems. He elaborated: "Manufacturers must ensure their products comply with CRA standards. Companies lacking compliant products are not optimally positioned. It’s essential for all stakeholders in Industry 4.0 to prioritise cybersecurity, extending beyond traditional networks to include industrial control systems and the Industrial Internet of Things."
ONEKEY is the leading European specialist in Product Cybersecurity & Compliance Management and part of the investment portfolio of PricewaterhouseCoopers Germany (PwC). The unique combination of an automated Product Cybersecurity & Compliance Platform (PCCP) with expert knowledge and consulting services provides fast and comprehensive analysis, support, and management to improve product cybersecurity and compliance from product purchasing, design, development, production to end-of-life.
Critical vulnerabilities and compliance violations in device firmware are automatically identified in binary code by AI-based technology in minutes - without source code, device, or network access. Proactively audit software supply chains with integrated software bill of materials (SBOM) generation. "Digital Cyber Twins" enable automated 24/7 post-release cybersecurity monitoring throughout the product lifecycle.
The patent-pending, integrated Compliance Wizard™ already covers the upcoming EU Cyber Resilience Act (CRA) and existing requirements according to IEC 62443-4-2, ETSI EN 303 645, UNECE R 155 and many others.
The Product Security Incident Response Team (PSIRT) is effectively supported by the integrated automatic prioritisation of vulnerabilities, significantly reducing the time to remediation.
Leading international companies in Asia, Europe and the Americas already benefit from the ONEKEY Product Cybersecurity & Compliance Platform and ONEKEY Cybersecurity Experts.
Contact us: ONEKEY GmbH, Kaiserswerther Str. 45, 40477 Duesseldorf, Germany, Sara Fortmann, e-mail: sara.fortmann@onekey.com, website: https://onekey.com PR Agency: euromarcom public relations GmbH, Muehlhohle 2, 65205 Wiesbaden, Germany, e-mail: team@euromarcom.de, website: www.euromarcom.de
- - - -