Stories

A third of industrial plants have no response plan for cyberattacks

A Volkswagon plant produces Volkswagons
An employee works on a Volkswagen e-Golf automobile in Dresden in 2018. Photo: Jens Schlueter/Getty Image

35% of global industrial plants have no response plan in case of cyberattacks, according to a survey conducted by Siemens and the Ponemon Institute.

Why it matters: The consensus among cybersecurity experts is to treat breaches as inevitable and plan ahead for resiliency. That can be particularly important in industrial systems, where physical safety and plant operations can hinge on the uptime of single systems.

The report sampled 1,726 employees of industrial companies scattered around the globe.

By the numbers: Only 42% of respondents rated their readiness for cyber attacks as "high."

  • While that number might be off since people aren't always the best judges of their own work, Siemens head of industrial cybersecurity Leo Simonovich told Axios that a low number actually speaks well of a community waking up to its vulnerability.
  • "We’ve seen a real awareness of the problem," he said. "The first step is identifying the threat."

From the survey, and confirmed by most experts' on-the-ground experience, Simonovich said there were three key problems that appear to plague industrial cybersecurity.

  • Experts aren't in charge. At the majority of plants, it's plant managers or industrial engineers, rather than cybersecurity experts, who run cybersecurity.
  • Low visibility. Unlike with traditional business networks, industrial networks often lack the tools to see what's going on in a network, which is critical in catching hackers. That, too, is getting better.
  • Staffing. This, said Simonovich, goes beyond the well-publicized global shortage of cybersecurity talent. Just as plant managers don't know the ins and outs of cybersecurity, cybersecurity talent often does not understand industrial machines that can frequently shut down when subjected to traditional cybersecurity processes.
  • "There's a lack of people who understand industrial controls, networking, security, and heavy machinery," he said. "One person needs at least 2-3 out of the four. "