In 2024, 25% of organizations worldwide recorded attacks that were directly controlled by people (APT). Such incidents accounted for almost half (43%) of high-severity events, which is 74% more than in 2023. In addition to financial damage, cyberattacks can cause physical damage to a business and even lead to emergency situations – this is especially true for large industrial enterprises.
Do you expect an increase in attacks on industrial companies this year compared to last year?
We do not expect explosive growth – the situation has stabilized. For two years, there has been a plateau in the number of attacks. However, the threat landscape is becoming more complex: new vectors are emerging, old ones are being improved. The threat from ransomware viruses, which are increasingly used against industrial enterprises, is especially relevant. In addition, targeted attacks are active – when attackers carefully select tools for specific enterprises. The situation is complicated by the fact that such attacks are difficult to detect using standard tools such as antiviruses.
Previously, attacks were often based on the human factor and phishing. Is this still relevant?
Yes, phishing and other social engineering techniques are still one of the main tools of attackers at the initial stage of attacks. But now completely new tools for implementing attacks are emerging, one of the popular vectors is the use of artificial intelligence. On the one hand, AI itself can become an object of attack – for example, through data manipulation. On the other hand, it can be used by attackers themselves to prepare and carry out attacks. Neural networks are already widely used by programmers – and nothing prevents attackers from doing the same to create malware. AI also helps to adapt the behavior of malware to a specific infrastructure, adjust to real-time protection, which makes attacks more difficult to detect.
Which industries are most vulnerable to cyber threats?
According to our statistics, the most frequently attacked sectors are electric power, construction, and oil and gas. Engineering systems and “smart home” systems are also often targeted by attackers.
As a result of successful attacks, companies primarily suffer financial losses. Any interruption of the production process is expensive, and the consequences of cyber attacks are not a momentary failure, but a long pause in the operation of the enterprise. There are also man-made risks, when breakdowns lead to emergency situations or even injuries. Such cases are rare, but they cannot be ruled out.
Another difficulty is recovery. In an office network, it is simpler, but if, say, a virus damaged a quarry dump truck, special expertise will be required, since its operation uses rare technologies and infrastructure elements that complicate the recovery process after attacks.
You recently conducted a study called “Information Security by the Rules” and found that the industry is less compliant with the requirements of the law than the public sector and finance. How can this be fixed?
The financial sector has historically been at the forefront because it was held accountable earlier. Industry, on the other hand, has not been of interest to attackers for a long time, and the requirements for it appeared later. Plus, its IT landscape is more complex: automation systems have been operating for 20 years, it is difficult to update them, and the implementation of security tools requires a special approach to avoid disruption of technological processes. This is not an office where you can quickly rebuild everything. The number of implemented cyber defense mechanisms in industry is lower than in other areas
To level the playing field, it is important to use adapted technologies – large vendors have specialized solutions for industry. For example, we have a range of products developed specifically for industrial infrastructures. They minimize the impact on processes and allow for more effective responses to threats. The second point is that legislation should take into account industry-specific features.
We also offer services that allow you to assess the level of security of both IT and industrial systems. Our experts work as “white hat hackers”, modeling the actions of intruders and checking what methods of penetration into the infrastructure they can use.
There are separate assessment tools for industrial systems – they take into account the specifics of such objects. We also train personnel: we conduct trainings on current threats, incident investigations. The human factor, unfortunately, remains a weak link, and training is the most important measure of cybersecurity.
Are there any new legislative initiatives on information security, especially for industry? How effective are they?
One of the main recent innovations is the RF Government Resolution No. 1912 on the transition of significant critical information infrastructure facilities to trusted hardware and software systems (HSS). Companies were supposed to begin the transition on September 1, 2024, and complete it by January 1, 2030. This means that the systems that support key business processes must be transferred to domestic solutions in accordance with the said resolution. This is a serious challenge: the scope of modernization is enormous, and manufacturers are required to create products that are at least as good as foreign ones.A successful cyber attack could cause major disruptions and financial losses.
The threats are serious now, and businesses understand this. In general, the legislation in the Russian Federation is developed, and regulators have made great strides in recent years. Our research shows that the requirements reflect modern risks, although sometimes difficult to implement. However, awareness is the first step to success. For this purpose, our company has created the Regulatory Hub – a free knowledge base in which any company can see the regulators’ requirements for a specific business and receive recommendations on how to implement them.
But there are also problems. For example, there are many industries, but the requirements for them are still uniform. This complicates the implementation of information security regulations: enterprises do not always understand how to apply general regulations to their specifics.
The study said that a third of companies found compliance too resource intensive. What exactly does that mean by resources – just money?
Money is only part of it. Another big problem is the shortage of qualified personnel. Universities are increasing the training of specialists, but the deficit remains. In addition, not all companies are corporations.
For small and medium businesses, the costs of meeting all the requirements are really high. In such cases, outsourcing information security can be a good solution. For example, services with round-the-clock infrastructure monitoring, like ours, are cheaper and faster than building everything yourself.