ICS, OT Cybersecurity Incidents Cost Some U.S. Firms Over $100 Million: Survey
A report published on Wednesday by the Ponemon Institute and industrial cybersecurity firm Dragos shows that the average cost of a security incident impacting industrial control systems (ICS) or other operational technology (OT) systems is roughly $3 million, and some companies reported costs of over $100 million.
The report is based on data from a survey of 600 IT, IT security, and OT security practitioners conducted by the Ponemon Institute in the United States.
Twenty-nine percent of respondents admitted that their organization was hit by ransomware in the past two years, and more than half of them said they had paid an average ransom of more than $500,000. Some organizations reported paying more than $2 million.
Nearly two-thirds of respondents said they experienced an ICS/OT cybersecurity incident in the past two years. The most common causes were negligent insiders, a maintenance-related issue, or IT security incidents “overflowing” to the OT network due to poor segmentation between IT and OT.
On average, it took organizations 170 days to detect an incident, 66 days to investigate it, and 80 days to remediate the incident. A calculation based on the total number of hours it would take a team of six people to detect, investigate, and remediate an incident showed a total labor cost of nearly $1 million. Adding roughly $2 million for downtime, legal costs, regulatory fines, and equipment replacement results in an average total cost of approximately $3 million.
Of the companies that confirmed suffering an incident, 1% said the total cost of the ICS/OT incident exceeded $100 million, and 2% reported costs between $10 million and $100 million. Overall, 13% of respondents said the incident had cost them more than $1 million.
The report published by Dragos and Ponemon focuses on the “cultural divide” between IT and OT teams and its impact on their ability to secure both IT and OT environments.
Half of respondents cited cultural differences between security, IT and engineers as the main challenge when it comes to collaboration between IT and OT teams. Technical differences and clear ownership of industrial cyber risk were also cited by over 40% of respondents.
Several other issues were identified by the survey:
- C-level executives and the board are not regularly informed about the efficiency, effectiveness, and security of their ICS/OT cybersecurity program;
- Many senior managers lack awareness of the risks and threats to OT environments, which results in inadequate resource allocation;
- Reporting relationships and accountability for OT security are not properly structured and become deterrents to investing in OT and ICS cybersecurity;
- The level of cybersecurity maturity for ICS/OT is inadequate in many organizations.