Control System Cybersecurity Annual Report 2024

Operational Technology (OT) forms the centre of the industry. OT is responsible for the smooth functioning of machines and systems that are used for everything from critical supply services such as electricity and water to the production of goods. However, in an increasingly connected world, OT is also exposed to threats from cyber criminals. Therefore, robust cyber security measures for machinery and equipment in industrial environments are crucial.

In collaboration with the Control System Cyber Security Association International ((CS)2AI), we took a look at the topic and produced the Control System Cybersecurity Annual Report 2024. To do so, we surveyed more than 630 companies from the industrial sector about their experiences with cyber attacks, specific attack patterns and responses. We also wanted to know what resources companies provide to protect their OT. The report provides a detailed insight into what progress the industry is making, what the most important trends are and what hurdles companies still need to overcome.

Among other things, the report shows that almost half (49 per cent) of the companies surveyed have no or only a basic cyber security strategy. The strategy does not include any plans, procedures or processes on how OT cyber security could be further improved. Another finding is that many companies lack the expertise to recognise attacks at an early stage and close security gaps accordingly. More than half of those surveyed said this. Another sore point in OT cyber security is staffing, which 38 per cent of respondents describe as insufficient.

This year, for the first time, we asked companies what they prioritise in their cyber security strategy and in which areas they should invest accordingly. The greatest focus is placed on ensuring the security of ongoing operational and production processes. However, there are obviously different assessments here within the companies. For respondents from the management level, the security of ongoing operational and production processes is the highest priority (65%), compared to only 38% of employees from the organisation. This raises the question of whether the incentives and motivation for an OT cyber strategy are aligned in many companies and why their objectives vary so much within a company.

The report also clearly shows that companies are doing much more than in previous years to protect their operating technology from criminals. One point, for example, is the complete monitoring of network activity. This is increasing significantly in companies, with an 80 per cent increase compared to last year's survey. For the report, we also assessed how accessible the control components of control systems are. In companies where the security strategy is more pronounced, the security components are often easier to access.

The report's findings show that while the increase in cyber-attacks is worrying, businesses are being more proactive with their cyber security budgets, focusing on prevention and recognising the threat of supply chain attacks. Furthermore, the report emphasises the urgent need for skilled cyber security experts in the face of escalating cyber threats.