Control Systems Cyber Security Report 2022

Significant challenges continue to impact cyber security in industry. As the frequency and sophistication of threats increase, businesses are mobilizing their resources and expertise in bold new ways to protect themselves.

It's been an alarming year for operational technology (OT) cyber security amid high-profile attacks that have dominated international headlines. Many companies, in response, have rushed to review and remediate their OT environments — typically dedicating some much-needed investment, talent and technology towards immediate solutions while working to maintain their critical operations and agility.

Produced in collaboration with The Control System Cyber Security Association International ((CS)²AI), the 2022 (CS)²AI-KPMG Control Systems Cyber Security Survey report offers an in-depth look at: control system security events; the trends in attack activities and protective technologies; and how organizations are prioritizing their efforts to tackle the control systems security challenges.

The report is based on survey results from more than 580 industry members at large and a representative sample of (CS)²AI‘s worldwide membership of close to 25,000 community members today — professionals on the front lines of cyber security for all types of control systems.

The report's key findings reveal that considerable ground remains to be covered as the threat landscape grows and the pace of change accelerates. Notable findings include:

• Close to 50 percent the respondents cited ‘insufficient control system cyber security expertise’ as the greatest obstacle to reducing their control system cyberattack surface, while more than one third also cited ‘insufficient personnel.’
• About 10 percent of respondents reported a budget increase, down from approximately 30 percent in our previous survey, while 10 percent of businesses reported a budget decrease, compared to about 1 percent a year earlier.
• Nearly one in five organizations have no OT cyber security awareness training to improve the security culture organization-wide.
• More than 85 percent of organizations say they have management/response plans at some stage of development.
• 18–27 percent of organizations say they have no implementation and testing plans, a significant improvement over 2020.

Explore the full report to help develop a clearer picture of the growing cyber threat landscape and how to overcome the roadblocks to true progress.