《畢馬威&國際控制系統網絡安全協會：2024年控制系統網絡安全年度報告（英文版）（75頁）.pdf》由會員分享，可在線閱讀，更多相關《畢馬威&國際控制系統網絡安全協會：2024年控制系統網絡安全年度報告（英文版）（75頁）.pdf（75頁珍藏版）》請在三個皮匠報告上搜索。

1、The(CS)2AI-KPMGControl System Cybersecurity Annual Report20242The(CS)2AI-KPMG Control System Cybersecurity Annual Report 2024ContentThe Chairmans Message04Annual Report Title Sponsor Foreword05Executive Summary06(CS)2Programs08(CS)2Program Maturity Longitudinal Analysis09Client(CS)2Program Maturity

2、Regions10(CS)2Key Performance Indicators(KPIs)High M vs Low M11Security Frameworks in use End Users vs Vendors12Organizational Plans End Users13(CS)2Services End Users14(CS)2Technologies End Users15Obstacles to Reducing the(CS)2Attack Surface16(CS)2Obstacles High M vs Low M17(CS)2Obstacles Organizat

3、ional Level18(CS)2Obstacles End Users&Vendors19(CS)2Obstacles Regional Analysis20(CS)2 Spending and Budgets21Top(CS)2ROI Organizational Level22Top(CS)2ROI High M vs Low M23Spending Priorities Organizational Level24Vendor Budget Guidance to Clients Vendors25Top(CS)2Expenditures High M vs Low M vs All

4、26Top(CS)2Expenditures End Users27(CS)2 Budget Change Longitudinal Analysis28(CS)2Obstacles High M vs Low M29(CS)2Obstacles Organizational Level30(CS)2Budgets High M vs Low M31(CS)2Assessments32(CS)2Assessment Frequency High M vs Low M33(CS)2Assessment Frequency End Users&Vendors34(CS)2Assessment In

5、clusions High M vs Low M35(CS)2Assessment Inclusions End Users&Vendors36(CS)2Assessment Responses High M vs Low M37Pre-Acquisition(CS)2Risk Assessments High M vs Low M38Security Training39(CS)2Awareness Training Integration End Users40(CS)2Awareness Training Integration High M vs Low M41(CS)2Trainin

6、g Inclusions High M vs Low M42(CS)2Networks43Control System Component Accessibility44Current Managed(CS)2Services High M vs Low M47ContentUse of Managed(CS)2Services Longitudinal Analysis48Current(CS)2Technologies High M vs Low M49(CS)2Network Monitoring Longitudinal Analysis50(CS)2Visibility End Us

7、ers51(CS)2Incidents52(CS)2Attack Responses End Users53Recent(CS)2Incidents Longitudinal54Client(CS)2Incident Attack Vectors Regions55(CS)2Incident Impacts Longitudinal Analysis56Recent(CS)2Attack Vectors Longitudinal Analysis57(CS)2Threat Actors Longitudinal Analysis58Vendor Guidance59Client KPI Foc

8、us Guidance Vendors60Appendix A:Demographics61Respondent Titles End Users&Vendors62Participation by Region63Respondent Ages64Respondent Age by Organizational Level65Respondent Education Levels66Respondent Organizational Category66Participation by Industry(End Users Only)67Respondent Organization Siz

9、es68Respondent Decision Roles68Respondent Decision Roles End Users Only68Respondent Titles and Organizational Level Representation69Appendix B:Annual Report Steering Committee&Contributors71Appendix C:About(CS)2AI73Appendix D:Report Sponsors74The(CS)2AI-KPMG Control System Cybersecurity Annual Repor

10、t 20243The Chairmans MessageThe(CS)2AI-KPMG Control System Cybersecurity Annual Report 2024Dear Industry Colleagues,As we kick-off a new calendar year,its essential to reflect on the progress weve made in the field of control system security as well as the challenges we continue to face.Though I am

11、certainly an optimist in my core,what I have gathered from the hundreds of personal interactions I have had in the last year is a sense that real progress on a long road is being made.One thing that hasnt changed is the amount of work still ahead of us to ensure secure systems that enable modern way

12、s of life.I am proud to announce this third edition of the(CS)2AI-KPMG Control System Cybersecurity Annual Report,the product of not only our own analysts and researchers but the growing group of Report Steering Committee contributors.This years report is based on survey results from more than 630 i

13、ndustry members at large and a representative sample of(CS)2AIs worldwide membership(approaching 34,000 community members today),with questions regarding their experiences with control system security events,attack patterns,and their responses,and where their organizations are focusing their resourc

14、es to protect critical systems and assets.The 2024 report sheds light on several critical trends and challenges in the control system security industry.While the increase in cyberattacks is concerning,organizations have become more proactive in their cybersecurity budgets,focused on prevention,and a

15、cknowledging the threat of supply chain attacks.One of the significant issues highlighted in the report is the shortage of skilled workers in the cybersecurity field.With the rise of cyber threats,the demand for cybersecurity professionals has never been higher.Respondents in the survey report incre

16、ased difficulty in hiring qualified personnel,and the report highlights the need for organizations to invest in the development of their current employees cybersecurity skills and training.This annual publication is the product of a growing group of vital contributors.Our greatest expression of appr

17、eciation must go to KPMG International,the report title sponsor,for enabling us to launch this project years ago and for their continued support and collaboration with us on its production.Waterfall Security Solutions and Fortinet have also been with us and providing resources and expertise since ou

18、r first edition,and we further wish to thank all the other partners whose backing and guidance have helped to make this a valuable decision support tool every year(See Appendix D).Of course,we would be remiss to not include all of those who stepped up and became members of our Annual Report Steering

19、 Committee(See Appendix B).It is our collective aim that this report provides valuable insights into the experiences of colleagues in the field,serving as a tool to support the many difficult decisions being made every day.Its important to use the findings of this report to make informed decisions a

20、nd prioritize the areas that provide the best ROI in control system security spending.We remain committed to supporting our community in their efforts to ensure secure systems that enable modern ways of life.Regards,4Derek HarpFounder&Chairman,(CS)2AI Annual Report Title Sponsor Foreword5The(CS)2AI-

21、KPMG Control System Cybersecurity Annual Report 2024Walter RisiGlobal OT Cybersecurity LeaderKPMG International andPartner and Head of ConsultingKPMG in ArgentinaPablo AlmadaGlobal OT Cybersecurity Deputy LeaderKPMG International andPartner and Head of OT CybersecurityKPMG in ArgentinaWhile Operatio

22、nal Technology(OT)Cybersecurity has secured its place on the agendas of most industrial Chief Information Security Officers(CISOs),it remains,in many cases,an isolated concern within the broader cybersecurity landscape.Despite significant strides made by numerous companies in recent years,there is a

23、n ongoing journey towards greater maturity and integration in this domain.The findings from this years collaborative effort between(CS)2AI and KPMG International shed light on both the progress weve achieved and the persistent challenges we face.Regarding maturity,nearly half(49%)of the organization

24、s surveyed continue to operate at maturity levels 1 and 2,which encompass firefighting and basic management,respectively.While the necessity of establishing an OT cybersecurity program is no longer a novel concept,and despite the availability of mature technological solutions,there hasnt been a subs

25、tantial leap in maturity observable in the survey results.One notable factor likely impeding progress is the scarcity of skilled resources,a well-known challenge with which the field has been struggling for years.Despite these challenges and the relatively gradual pace of development,our discussions

26、 with industry executives reveal a heightened awareness of the risks associated with OT cybersecurity.Whereas it might have been a tough sell in years past,cybersecurity conversations with top-level executives increasingly revolve around OT cybersecurity as a focal point.This signifies a higher leve

27、l of understanding and recognition of the subjects critical importance.Its not surprising to find that executives are also more willing to engage in crisis simulations and tabletop exercises centered on OT cybersecurity.We believe that the annual collaboration between KPMG International and(CS)2AI p

28、lays a pivotal role in elevating awareness among executive leadership.By drawing from real-world insights provided by practitioners and leaders across the globe,our survey offers an impartial perspective on the global evolution of this field.It aids in informed investment decisions and highlights th

29、e growing interest in this area.We believe our joint report serves as a valuable resource for both OT cybersecurity practitioners and leaders,as well as the wider executive community.In this third edition,we reaffirm our commitment to providing an unbiased outlook on the main challenges surrounding

30、OT cybersecurity as perceived by global leaders in the field.We invite our readers to delve deep into the insights of this years report,with the hope that our annual endeavor empowers you,whether youre a leader,executive,or practitioner,to make more informed decisions and investments in this domain.

31、We view OT cybersecurity as an ongoing journey with no true ending.This survey,much like cybersecurity itself,is an integral part of this perpetual journey,dedicated to delivering improved insights into this critical field year after year.Executive Summary6The(CS)2AI-KPMG Control System Cybersecurit

32、y Annual Report 2024KEY FINDINGSAlmost half of organizations responding(49%)remain without ICS/OTcybersecurity programs or with only a basic one,lacking established plans,procedures,or capability improvement processes.Respondents at different organizationallevels revealed quite different prioritiesf

33、or allocation of extra discretionary funds,raising questions of whethertheir incentives are in alignment andwhy their goals are different.Full monitoring of control system network activity is increasing,with an80%increase in the past year.We assessed the accessibility of manycontrol system component

34、s(PLCs,IEDs,RTUs,HMIs,Servers,Workstations&Historians)from business networks,the internet,the cloud,and by integrators/vendors.There is frequently little difference between organizations with High Maturity programs and those with low ones in this area.In fact,components in High M organizations are o

35、ften more accessible than in Low Ms.Please see page 8 for definitions of High M and Low M.This report is the latest in a series of annual publications,drawn from research by the Control System Cybersecurity Association International(a.k.a(CS)2AI),its community of nearly 34,000 members and dozens of

36、Strategic Alliance Partners(SAPs).Based on decades of cybersecurity survey development,research and analysis led by(CS)2AI Founder and Chairman Derek Harp and Co-Founder and President Bengt Gregory-Brown,the(CS)2AI team invited our global members and thousands of others in our extended community to

37、participate.Asking key questions about their experiences in the front lines of operating,protecting,and defending Operational Technology(OT)systems and assets costing millions to billions in capital outlay,impacting as much or more in ongoing revenues,and affecting the daily lives of individuals and

38、 business operations of enterprises worldwide.Over 630 of them responded to our primary survey and many more participated in additional data gathering efforts we run via our ongoing(CS)2 educational programs.This pool of data,submitted anonymously to ensure the exclusion of considerations which migh

39、t otherwise influence participant responses,offers insight into the real-world experiences of individuals and organizations responsible for CS operations and assets beyond what could fit into this report.We hope the details we have selected to include provide the decision support tool our readers re

40、quire.Survey Objective and Methodology7The(CS)2AI-KPMG Control System Cybersecurity Annual Report 2024This Report uses the overarching term Control Systems(CS)and Operational Technology(OT)to refer to any/all systems that manage,monitor and/or control physical devices and processes.CS,(CS),and OT sh

41、ould therefore be understood to include Industrial Control Systems(ICS),Supervisory Control&Data Acquisition(SCADA),Process Control Systems(PCS),Process Control Domains(PCD),Building/Facility Control,Automation&Management Systems(BACS/BAMS/FRCS),network-connected medical devices,etc.Similarly,the te

42、rm(CS)2 refers to the Control System Cybersecurity field,profession,programs and workforce.The(CS)2AI-KPMG Control System Cybersecurity Annual Report series was launched in 2019 to produce informative decision-making tools for all parties involved with the work of securing control system assets and

43、operations,whether end-users or vendors,executives,managers or operational resources,anywhere in the world.This report is a collaborative effort of these entities:(CS)2AI:As the project originator,(CS)2AI held the primary role in planning,leading and implementing the project,including data collectio

44、n and analysis and authoring this report.KPMG International:As the Title Report Sponsor,KPMG provided primary funding and organization resources support to augment(CS)2AIs own capabilities.Additional sponsors:non-Title Sponsors Fortinet,Waterfall Security Solutions and Opscura provided additional fu

45、nding and other resources.(See Appendix D:Report sponsors.)Pursuant to the objectives stated above,(CS)2AI and our sponsors distributed online surveys to members of the CS/OT cybersecurity community working in the field,collecting key data around CS events,activities and technologies,and details on

46、how organizations are responding to the changing threatscape1.(CS)2AI invited participation from its associated members,known OT security defenders and researchers,distributed the survey through direct invitations and various broadcast media channels,and promoted it on sites serving the CS cybersecu

47、rity workforce,with the intent to collect as wide a sample as possible.Respondents self-selected by affirming their current or recent involvement with the(CS)2field.They include professionals at all organizational levels:cybersecurity specialists and subject matter experts(SMEs)as well as those whos

48、e work includes but does not necessarily consist solely of securing and protecting control systems.The ability to parse our participants into different groups and compare their inputs across these groupings associations is key to the insights derived from this annual research project.While we consid

49、er survey participants(CS)2AI program maturity the most important dimension,we also considered their organizational levels,their regions,and their relationship with(CS)2assets(vendors,users,owners,or operators).Of course,we also performed longitudinal analysis and,where we found interesting trends,w

50、e share those as well.1Threatscape:the sum of all possible threats to CS/OT operations and assets.The threatscape is dynamic,continually shifting as vulnerabilities are discovered and protections are developed to counter their exploitation.(CS)2ProgramsThe(CS)2AI-KPMG Control System Cybersecurity An

51、nual Report 2024A measure of respondent organizations(CS)2program maturity is key to much of our annual analysis,providing a metric to evaluate much of the other data they provide.What are organizations with more mature programs2 doing differently or more often than others?Where we find significant

52、differences between the responses of these groups we bring these to our readers attention.We asked each participant to choose which of the following descriptors best fit the situation in their organization.Levels of Control System Cybersecurity Program MaturityLevel 1Fire Fighting.Cybersecurity proc

53、esses are unorganized and undocumented,not organized in a program.Success depends on individual efforts;is not repeatable or scalable because processes are not sufficiently defined and documented.Passive Defense.Level 2Basic project management practices are followed in cybersecurity implementations;

54、success continues to require key individuals,but a body of knowledge is developing.Best practices are performed but may be ad hoc.Passive Defense.8Level 3Cybersecurity produces and works from documented processes and procedures.Key stakeholders are identified and involved.Adequate resources are prov

55、ided to support the process(people,funding,and tools).Standards and/or guidelines have been identified to guide the implementations.Passive Defense.Level 4The Cybersecurity program uses data collection and analysis to improve its outcomes.Activities are guided by documented organizational directives

56、,policies include compliance requirements for specified standards and/or guidelines.Personnel responsible for control system security duties have training and experience.Program is Managed,Proactive,tracks metrics,some automation.Active Defense,SIEM,Anomaly and Breach Detection.Level 5Cybersecurity

57、processes continually improved via feedback from existing processes and adapting to better serve organizational needs.Personnel performing the processes have adequate skills and knowledge.Optimizing,automated,integrated,predictable.Active Defense,Threat Intelligence,Incident Management.2The High M g

58、roup includes all respondents self-rated at Level 4 or 5;the Low M group those identifying as Level 1 or 2.(CS)2Program Maturity Longitudinal Analysis9The(CS)2AI-KPMG Control System Cybersecurity Annual Report 2024The number of participants in each ranking has shifted over(Note the rise of Level 2 r

59、esponses this year)but we found little change in the sizes of the aggregated High M/Low M groups over the years.Participants continue to rate their own(CS)2programs consistently.Our team considers this supportive of the validity of this self-evaluation.We use this extensively in our analyses of cont

60、rasts and similarities between the High Maturity(Levels 4 and 5)and Low Maturity(Levels 1 and 2)groups to base recommendations to base recommendations on.14%30%33%17%6%16%28%32%16%9%16%33%28%17%6%0%5%10%15%20%25%30%35%Level 1Level 2Level 3Level 4Level 5Which of these best describes your control syst

61、em cybersecurity program?202020222023More MatureClient(CS)2Program Maturity Regions310The(CS)2AI-KPMG Control System Cybersecurity Annual Report 2024Consultants(vendors,service providers,integrators)around the world do not share the same view of the maturity of their clients(CS)2programs.Different r

62、egions have different views with respect to maturity.Region 2 self-scores lower,with 63%in Levels 1 and 2,Region 4 centers around Level 2(48%),and Region 5 centers around level 3(56%).Regions 3,6 and 7 lacked sufficient participation to include in this analysis(see footnote3).16%34%29%15%5%20%34%28%

63、14%5%20%43%16%16%4%10%48%31%7%3%16%12%56%12%4%0%10%20%30%40%50%60%Level 1Level 2Level 3Level 4Level 5Which of these best describes the control system cybersecurity programs of your clients?GlobalRegion 1Region 2Region 4Region 53(CS)2AI is organized into seven Regions.1)North America;2)Europe(Central

64、,Western,Northern and Southern);3)Eurasia;4)Indo-Pacific;5)Middle East-North Africa;6)Southern Africa;7)Latin America-Caribbean(CS)2Key Performance Indicators(KPIs)High M vs Low M11The(CS)2AI-KPMG Control System Cybersecurity Annual Report 2024While the greater tracking of some Key Performance Indic

65、ators(KPIs)by more mature programs is unsurprising(e.g.,the nearly five-fold increase in Security Activity Costs Through Efficiencies/Improvements at 8%Low M vs 40%High M is expected since this is a core activity used to improve any program over time),we consider it concerning that so many programs

66、track so little.We had approximately twice as many Low M respondents as High M this year,and although an encouraging 85.3%of those track some KPIs,most only track a few.We highly recommend these organizations expand their metrics to gain greater visibility into the effectiveness of their security pr

67、ogram efforts.34%41%47%44%34%31%38%44%56%38%31%50%59%28%41%38%3%28%21%35%24%34%31%28%31%38%24%21%31%22%18%9%16%15%The number of people who repeatedly click malicious linksThe number of security incident false positivesThe percentage of malicious and/or spam email that reaches end usersThe financial

68、cost of security incidentsThe number of people clicking bad linksThe number of shared accounts in useThe time to resolve security incidentsThe number of systems with expired applications and configurationsThe number of security incidentsThe number of infected(malware)systemsThe number of un-inventor

69、ied devicesThe number of systems missing patchesThe amount of operational disruption(downtime)caused by security incidentsThe number of information flows from non-critical sources into control-criticalnetworksSecurity activity costs through efficiencies/improvementsNumber of sites and systems with o

70、rganizations security requirements andprinciples implemented and actively followedMy organization does not track KPIs0%10%20%30%40%50%60%70%Low MHigh MNumber of sites and systems with organizations security requirements and principles implemented and actively followedThe Number of information flows

71、from non-critical sources into control-critical networksTypical(CS)KPIs monitored by organizationsSecurity Frameworks in use End Users vs Vendors12The(CS)2AI-KPMG Control System Cybersecurity Annual Report 2024Comparing the views of disparate groups has its detractors,but we consider viewing the per

72、spectives of these two side-by-side useful as they both have responsibility for the security of controls systems,and we see here that while the standouts are the C2M2 and NIST,the former for Vendors and the latter for End Users.Reported use of the C2M2 by End Users is effectively matched with last y

73、ears overall data(2022-C2M2 26.3%)but that report did not differentiate between End Users and Vendors.In the latest iteration of our survey,Vendors responded separately and report using the C2M2 almost exactly twice as often(End Users C2M2 26.6%vs Vendors C2M2 53.1%).NIST usage does not appear to ha

74、ve changed as much,with last years All-Participants response of 45.7%(2022),as an averaging of the two groups falls into that range.19%34%31%25%34%9%44%53%28%53%25%25%9%28%10%36%27%26%NISTNERC CIPTop 20 Critical Security ControlsANSSI ICSISOCOBITISA/IEC 62443Cybersecurity Capability Maturity Model(C

75、2M2)Industry Regulations0%10%20%30%40%50%60%End UsersVendorsFrameworks used by control system security teamsOrganizational Plans End UsersIt is our teams view that every organization with(CS)2responsibilities should manage its risks comprehensively,with documented,implemented and tested plans and pr

76、ocedures to reduce incidents and minimize impacts on their company,employees,and clients.With plans fully Implementedand Tested being the gold standard,the large numbers of respondent companies with plans mostly only Documentedor Plannedis concerning as they are not procedurally prepared to manage a

77、nd respond to the types of events these plans are intended for.Current state of organizational plans22%24%23%28%28%22%35%24%25%28%27%20%22%20%37%29%29%20%34%33%26%13%20%15%22%16%17%11%Control System RiskManagement PlanControl System Cybersecurity Incident Response PlanControl System Cybersecurity Bu

78、siness Continuity PlanControl System Cybersecurity Disaster Recovery PlanControl System Cybersecurity Vulnerability Management PlanControl System Cybersecurity Access Management PlanSupply Chain RiskManagement Plan0%5%10%15%20%25%30%35%40%PlannedDocumentedImplementedTested13The(CS)2AI-KPMG Control S

79、ystem Cybersecurity Annual Report 2024(CS)2Services End Users14The(CS)2AI-KPMG Control System Cybersecurity Annual Report 2024Where do organizations go to find the aid they need to protect their(CS)2assets,people,and operations?Everywhere they can,according to our respondents.The standout response o

80、f Internal IT Security Resources(56.2%)suggests that OT cybersecurity is being driven by IT groups in most organizations,with the concomitant likelihood that IT security methods and technologies are being applied in these environments.Many CISOs are intimidated by OT security projects because the cu

81、re for cybersecurity in plants is worse than the disease.I used to be a CISO,so I understand.OT requires prioritization for the process whereas IT prioritizes security over downtime.We are losing the war against bad actors largely due to inaction.Securing OT using traditional IT tools is costly not

82、just because of the consulting,planning,and equipment,but most of all,the debilitating amount of downtime.Operators have to make painful decisions to reconfigure their networks,replace working(but end of life)assets,and to deploy security teams-all while shutting down their plant for days if not wee

83、ks.We are forcing them to make the hard decision to NOT move forward with cybersecurity for their operating lines and facilities.The downtime in many cases is more expensive than the whole security project itself.Lets partner to make securing and maintaining our plants and factories less time-intens

84、ive,more affordable and,most importantly,with far less(if not zero)downtime.Together,we can remove the traditional IT barriers and join together to secure our worlds infrastructure.Brian Brammeier,CEO of Opscura56%43%38%42%36%36%40%36%Internal IT security resourcesInternal OT security resourcesInter

85、nal Hybrid IT/OT team(s)Internal Engineering team(s)Internal security teams under CISO/CSO/CTOSecurity teams under CISO/CSO/CTO with both internal andexternal resourcesContracted resources(consultants)Outsourced resources(service company)0%10%20%30%40%50%60%Sources of control system security service

86、s used by organizationsSecurity teams under CISO/CSO/CTO with both internal and external resources(CS)2Technologies End Users15The(CS)2AI-KPMG Control System Cybersecurity Annual Report 2024Not all technologies fit the needs and requirements of all environments.That said,we consider it likely that t

87、he organizations owning and/or operating ICS/OT assets who indicated they have Passive Network Anomaly Detection(58%IDS)would be well served by implementing Active Intrusion Prevention Systems(IPS)into use.NextGen Firewalls have similarly wide utility and should be protecting more ICS environments f

88、rom threats originating on their enterprise or other external networks.Unidirectional Gateways/Data Diodes have had a reputation for complexity and cost due to their use primarily in the highest security environments(e.g.nuclear power plants),but we have recently seen both of those factors diminish

89、and expect to see more deployment in the future.Security technologies used by organizations to protect controls system assets against cyber threatsFirewallsNextGen FirewallsPassive Network Anomaly Detection(IDS)Active Intrusion Prevention systems(IPS)65%58%58%52%Sandboxing34%UnindirectionalGateways/

90、Data Diodes29%Obstacles to Reducing the(CS)2Attack Surface(CS)2Obstacles High M vs Low M17The(CS)2AI-KPMG Control System Cybersecurity Annual Report 2024We annually compare conditions and perspectives between distinct groups;here we consider what they consider their greatest obstacles through the le

91、ns of respondent organizations control system cybersecurity programs relative maturity(High M vs Low M)to identify what is working,what isnt,and how things change as organizations progress on their journeys of improving their security.In the table above we see that some obstacles are widely agreed u

92、pon,such as Insufficient Control System Cybersecurity Expertise(Low M 51.5%,High M 53.1%)and Insecure ICS/OT Protocols(Low M 23.5%vs High M 21.9%),while others differ widely,such as Technology That Cannot Support Encryption(Low M 26.5%vs High M 12.5%)and Insufficient Leadership Support(Low M of 25.0

93、%vs High M 15.6%).These suggest that more mature programs have overcome some of the hurdles that less mature programs are still struggling with.13%28%25%22%47%16%28%16%22%19%53%22%26%15%13%32%26%24%38%25%16%16%51%24%Technology(e.g.PLC designs)that cannot support encryptionRegulatory compliance requi

94、rements preventing application of innovation/new technologysolutionsOverly complex control system networkOrganizational complexity/constraintsOperational requirements(e.g.mandatory uptime)Insufficient technologies/toolsInsufficient personnelInsufficient leadership supportInsufficient financial resou

95、rcesInsufficient cyber threat intelligenceInsufficient control system cybersecurity expertiseInsecure ICS/OT protocols0%10%20%30%40%50%60%Low MHigh MRegulatory compliance requirements preventing application of innovation/new technology solutionsWhat are the greatest obstacles to reducing the(CS)2att

96、ack surface?(CS)2Obstacles Organizational Level418The(CS)2AI-KPMG Control System Cybersecurity Annual Report 2024It is very unlikely that any one individual could have both a complete overview and all details of a modern control system environment,and differences in individuals views inevitably lead

97、 to differences in their perceptions of what needs to be done.Here we see the Executive consensus that Operational Requirements(50.0%),Insufficient Personnel(39.5%)and Insufficient(CS)2Expertise(39.5%)are the largest obstacles partly aligns with Operations personnel(this groups highest being Insuffi

98、cient Personnel 39.5%and Insufficient(CS)2Expertise 37.0%),but Ops believes Operational Requirements much less of a hurdle(6th on Operations list at 23.5%).Management disagrees with one or both parties frequently,highlighting the importance of knowing the role of end users within their organization

99、when we support them with addressing their issues.29%21%26%29%50%11%39%11%24%13%39%13%24%12%27%33%39%9%27%21%12%3%58%30%26%17%15%37%23%25%40%23%21%16%37%31%0%10%20%30%40%50%60%70%Technology(e.g.PLC designs)that cannot support encryptionRegulatory compliance requirements preventing application ofinno

100、vation/new technology solutionsOverly complex control system networkOrganizational complexity/constraintsOperational requirements(e.g.mandatory uptime)Insufficient technologies/toolsInsufficient personnelInsufficient leadership supportInsufficient financial resourcesInsufficient cyber threat intelli

101、genceInsufficient control system cybersecurity expertiseInsecure ICS/OT protocolsOperationsManagementExecutivesRegulatory compliance requirements preventing application of innovation/new technology solutionsWhat are the greatest obstacles to reducing the(CS)2attack surface?4The number of participant

102、s responding to each question in our surveys varies.At times this results in insufficient representation from a particular subset of participants for valid statistical analysis.In the case of breaking down our data by participation from different levels of their organizations,we received too few Lea

103、dership-level respondents to include them in some charts.(CS)2Obstacles End Users&Vendors19The(CS)2AI-KPMG Control System Cybersecurity Annual Report 2024Our team found many of the differences in the perspectives of End User and Vendor respondents interesting.Do these derive from their ownership/ope

104、ration of the control systems versus production/monitoring of OT assets,distinct resources available to them,varied fiscal responsibilities,or some combination of factors?That vendors identified Regulatory Compliance Requirements,Overly Complex Control System Networks,and Insufficient Cyber Threat I

105、ntelligence as top obstacles at two to three times the rate that end users did is noteworthy.The only similar ratio from the end users is their view of Insufficient Personnel(End Users 36.8%vs Vendors 13.5%).We advise Vendors to note what their End User clients identified as the greatest obstacles i

106、n order to best help them overcoming those barriers.38%14%54%35%41%38%24%19%16%38%24%27%34%37%43%14%20%35%17%21%19%16%26%26%Operational requirements(e.g.mandatory uptime)Insufficient personnelInsufficient control system cybersecurity expertiseInsufficient cyber threat intelligenceOverly complex cont

107、rol system networkOrganizational complexity/constraintsInsufficient technologies/toolsInsufficient leadership supportInsufficient financial resourcesRegulatory compliance requirements preventing application of innovation/new technologysolutionsTechnology(e.g.PLC designs)that cannot support encryptio

108、nInsecure ICS/OT protocols0.0%10.0%20.0%30.0%40.0%50.0%60.0%What are the greatest obstacles to reducing the(CS)2attack surface?End UsersVendorsRegulatory compliance requirements preventing application of innovation/new technology solutions(CS)2Obstacles Regional Analysis5 620The(CS)2AI-KPMG Control

109、System Cybersecurity Annual Report 2024For our final look at security obstacles we searched for differences between respondents from different regions of the globe.Control Systems worldwide are largely built upon common technologies,so we expected some degree of uniformity of responses to this quest

110、ion regardless of geographic location and,in fact,this chart shows less differentiation than many in this report.One notable distinction is the Region 4(APAC)identification of Insufficient Control System Cybersecurity Expertise(59.1%)15 points higher than Region 2,1,or Global.Respondents in Regions

111、2(Europe,Central,Western and Northern)and 4(APAC)are also more concerned with Overly Complex Control System Networks than the rest of the world(R2 29.0%,R4 36.4%,vs Global 20.1%)26%16%20%35%34%17%37%21%19%14%43%26%27%13%16%37%34%16%40%24%18%12%44%24%26%23%29%32%35%16%32%13%16%19%39%32%27%23%36%41%27

112、%18%27%18%18%9%59%23%0%10%20%30%40%50%60%70%Technology(e.g.PLC designs)that cannot support encryptionRegulatory compliance requirements preventing application ofinnovation/new technology solutionsOverly complex control system networkOrganizational complexity/constraintsOperational requirements(e.g.m

113、andatory uptime)Insufficient technologies/toolsInsufficient personnelInsufficient leadership supportInsufficient financial resourcesInsufficient cyber threat intelligenceInsufficient control system cybersecurity expertiseInsecure ICS/OT protocolsRegion 4Region 2Region 1GlobalRegulatory compliance re

114、quirements preventing application of innovation/new technology solutions What are the greatest obstacles to reducing the(CS)2attack surface?5Just as in our analysis of responses by participant organizational level,some regions lacked sufficient representation for valid analysis.The tables below show

115、 only those regions with sufficient participation to include,as well as the Global(All respondents)for comparison.6(CS)2AI is organized into seven Regions.1)North America;2)Europe(Central,Western,Northern and Southern);3)Eurasia;4)Indo-Pacific;5)Middle East-North Africa;6)Southern Africa;7)Latin Ame

116、rica-Caribbean(CS)2Spending and BudgetsTop(CS)2ROI Organizational Level722The(CS)2AI-KPMG Control System Cybersecurity Annual Report 2024The(CS)2AI team and our many speakers are familiar with questions of how to get executive backing for security needs,particularly segmentation projects,which requi

117、re impact analysis and,in some cases,significant network re-architecture work,so it is good to see that most participant Executives recognize the ROI of implementing this in their organizations(57.1%),fundamental to both security and resiliency.We see as even more positive their support for(CS)2moni

118、toring(64.3%)after years of SME arguments that visibility is step 1 in any security improvement program.Respondents in Management,on the other hand,have found their best ROI in Training,whether for Security Awareness(60.0%)or Security Defenders(75%).Our team believes it important to draw attention t

119、o the fact that none of the Executives or Management participants consider Increased Control System Cybersecurity Staffing a top ROI(0%for both groups)despite 27-39%of them identifying Insufficient Personnel(See Chart(CS)2Obstacles Organizational Level)among their greatest obstacles to improving the

120、ir(CS)2situations.22%57%25%64%17%0%43%15%25%0%10%40%47%35%75%0%60%11%44%13%21%50%24%38%13%24%41%52%26%0%Improving communications/collaboration with IT/corporateteamsNetwork segmentation/micro-segmentationSecure remote access to control system networksControl system cyber security monitoringTraining

121、for security defendersIncreased control system cyber security staffingSecurity Awareness TrainingControl system cyber security technology solutions(hardware,software)Patch and Vulnerability managementBackups0%20%40%60%80%OperationsManagementExecutivesControl system cybersecurity technology solutions

122、(hardware,software)Improving communications/collaboration with IT/corporate teamsTop ROI area for(CS)2investments Increased control system cybersecurity staffingControl system cybersecurity monitoringSecure remote access to control system networksNetwork segmentation/micro-segmentationPatch and Vuln

123、erability management7Too few Leadership-level respondents answered to include them in this analysis.Top(CS)2ROI High M vs Low M23The(CS)2AI-KPMG Control System Cybersecurity Annual Report 2024Compared to their perspectives on security obstacles to overcome,there is more agreement between security pr

124、ograms on where they are finding the greatest Return on Investment(ROI)in their(CS)2expenditures.There are some obvious outliers to note,particularly the Low M emphasis on Improving Communications/Collaboration with IT/Corporate Teams(Low M 16.7%,High M 0%)and Backups8(Low M 0%,High M 50%).One possi

125、bility this suggests is that the most mature programs have already integrated teams and implemented solid backup systems and procedures,of course.The agreement between all groups that their highest ROI is in Network Segmentation/Micro-Segmentation is in line with years of research and recommendation

126、s to implement this to both improve overall security and reduce impacts of cyber incidents.0%75%40%53%33%11%55%27%24%50%17%50%25%36%27%36%38%39%27%0%0%20%40%60%80%Improvingcommunications/collaborationwith IT/corporate teamsNetwork segmentation/micro-segmentationSecure remote access to controlsystem

127、networksControl system cyber securitymonitoringTraining for security defendersIncreased control system cybersecurity staffingSecurity Awareness TrainingControl system cyber securitytechnology solutions(hardware,software)Patch and VulnerabilitymanagementBackupsLow MHigh MControl system cybersecurity

128、technology solutions(hardware,software)Improving communications/collaboration with IT/corporate teams50%of respondents believe that network segmentation is the top area for cybersecurity program ROI.The latest thinking in network engineering is that,at consequence boundaries,it is most beneficial to

129、 deploy any of several engineering-grade network segmentation approaches.Consequence boundaries include the IT/OT interface,any OT/Internet interface,and any other connection between networks whose worst-case consequences of compromise differ sharply.Results of attack tree analyses show that enginee

130、ring-grade segmentation at such boundaries reduces a critical networks attack surface by up to 3 orders of magnitude.Andrew GinterVP Industrial Security,Waterfall Security SolutionsPatch and Vulnerability managementIncreased control system cybersecurity staffingControl system cybersecurity monitorin

131、gSecure remote access to control system networksNetwork segmentation/micro-segmentationTop ROI on(CS)2 investments(High VS Low M)8A possible indication of the more mature programs experiences during the recent rise in ransomware attacks.Spending Priorities Organizational Level24The(CS)2AI-KPMG Contr

132、ol System Cybersecurity Annual Report 2024A new question this year,our team found participant responses interesting.Some general agreement aside(such as all levels identifying Protecting Continuous Operations as their top target for spending extra funds),the differences do stand out.Note the very lo

133、w emphasis participants in Management put on Protecting Public Safety and Protecting Worker Safety(3.2%in both),and none on Protecting Product Quality.Given these differences,organizations are encouraged to foster discussions on aligning business priorities.16%14%8%5%16%41%3%6%3%0%23%65%19%4%14%8%15

134、%38%Protecting Worker SafetyProtecting Trade SecretsProtecting Public SafetyProtecting Product QualityProtecting equipmentprogramming andconfigurationProtecting ContinuousOperations0%10%20%30%40%50%60%70%Where would you direct extra discretionary funds for your organization?ExecutiveManagementOperat

135、ionsVendor Budget Guidance to Clients Vendors25The(CS)2AI-KPMG Control System Cybersecurity Annual Report 2024Many asset owners/operators depend on SME advice from their trusted vendors,so we looked this year at vendor advice regarding resource allocation.Comparing this and the preceding chart,we se

136、e the highest emphasis remains on Protecting Continuous Operations.Where would you advise most of your clients to direct more resources in the coming year?Protecting equipment programming and configurationProtecting product qualityProtecting public safetyProtecting worker safety25%14%9%8%7%Protectin

137、g Continuous Operations33%Protecting Trade SecretsTop(CS)2Expenditures High M vs Low M vs All26The(CS)2AI-KPMG Control System Cybersecurity Annual Report 2024We have included responses from all participants in these tables for ease of comparison.This allows us to show that the High M group spends si

138、gnificantly more on Security Awareness Training(50.0%High M vs 28.6%Low M and 35.0%All)as well as how relatively few of them focus on Control System Cybersecurity Consulting Services(20.0%High M vs 33.3%Low M and 33.8%All).40%31%35%29%34%35%36%36%50%29%20%40%37%34%29%28%33%37%0%10%20%30%40%50%60%Int

139、ernal SOC Operationsand Services andVirtual/Cloud SOCOperations and ServicesControl system cybersecurity staffingSecurity AwarenessTrainingPatch and VulnerabilitymanagementControl system cybersecurity consulting servicesControl system cybersecurity technologysolutionsAllHigh MLow MTop(CS)2expenditur

140、e area(High M VS Low M and All)Top(CS)2Expenditures End Users27The(CS)2AI-KPMG Control System Cybersecurity Annual Report 2024An additional view into(CS)2budget priorities beyond the top spend for High and Low M groups,we also asked our End Users to identify the three areas their organizations put t

141、heir resources into.Security Technology and Security Consulting Services get the largest slices of the budget pie(totaling 56.3%and 50.6%,respectively).Our team considers it worth investigating whether the relatively low investment in Control System Cybersecurity Staffing is a contributing factor to

142、 the ongoing demand for workers in this field outstripping the supply.13%16%13%15%17%20%9%15%15%19%16%20%16%9%15%16%17%17%Security AwarenessTrainingInternal SOC Operationsand Services andVirtual/Cloud SOCOperations and ServicesControl system cybersecurity staffingPatch and VulnerabilitymanagementCon

143、trol system cybersecurity consulting servicesControl system cybersecurity technologysolutions0%5%10%15%20%25%Top three areas organizations expend the most resources for control system cybersecurity1-Most2-2nd Most3-3rd Most(CS)2Budget Change Longitudinal Analysis 28The(CS)2AI-KPMG Control System Cyb

144、ersecurity Annual Report 2024A slim majority of organizations continue to increase their(CS)2budgets(53%),with this response rate hovering close to the midpoint for several years(47%2022,52%2020).There is a pattern of steady increase in the slow growth group,those with(CS)2budget increases of below

145、30%,rising from 20%of respondents in 2020 to 34%this year.The higher growth group,those with increases above 30%,has correspondingly shrunk from 31%of 2020 respondents to 19%now.Members of our analysis team pointed out certain slowdowns in the(CS)2vendor/solution provider sector,possibly a response

146、to increased competition,or overshooting market appetite.The continued commitment to increase spending YOY shows that organizations are coming to better understand the threat landscape in which they operate and some degree of the exposure they face.Recent(CS)cyber incident headlines have increased a

147、wareness of both the cyber risks present and the necessary actions to prevent a similar event from occurring.Brad RaifordDirector,National IoT&OT Cyber Services KPMG in the US13%13%11%8%21%13%13%1%3%3%1%23%11%6%12%21%7%9%2%2%3%3%20%14%12%19%10%10%13%1%0%0%0%0%5%10%15%20%25%Dont knowOrganizational po

148、licy prevents me from answering thisquestionIncrease of more than 50%Increase of more than 30%Increase of more than 10%Increase of less than 10%No change from previous yearDecrease of less than 10%Decrease of more than 10%Decrease of more than 30%Decrease of more than 50%Estimations of how this year

149、s organizational controls system security budget compares to prior years202020222023Organizational policy prevents me from answering this questionPlanned(CS)2Investments High vs Low M29The(CS)2AI-KPMG Control System Cybersecurity Annual Report 2024With the strong support for the value of Network Seg

150、mentation(see charts on Top ROI)we consider it notable few organizations plan to focus their upcoming security spend in that area.The explanation may be that High M organizations may have already significantly segmented their network,so they are now spending much less(3%)than the Low Ms(15%).A simil

151、ar factor may be behind the difference in their planned expenditures on Asset Inventory&Management and Threat Detection.19%22%22%9%3%9%3%30%21%8%6%3%12%15%Asset Inventory&ManagementVulnerability ManagementThreat DetectionSupply Chain SecurityCompliance ReportingSecure Remote AccessNetwork Segmentati

152、on0%5%10%15%20%25%30%35%Highest investment areas for(CS)2for the year aheadLow MHigh MPlanned(CS)2Investments Regions30The(CS)2AI-KPMG Control System Cybersecurity Annual Report 2024Response to this question was insufficient in Regions 3-79 to include,but plans are quite different between respondent

153、s in Regions 1 and 2.Region 2 participants are focused currently on Secure Remote Access and Threat Detection10(25%on both)while their North American colleagues seem to consider Vulnerability Management and Asset Inventory&Management more pressing matters(18.4%and 24.3%,respectively).One possibility

154、 raised in our review is that Region 2 organizations have resolved these Managementconcerns to a degree not yet accomplished in Region 1.24%18%13%7%3%13%13%28%22%9%7%3%7%12%13%8%25%4%4%25%13%0%5%10%15%20%25%30%Asset Inventory&ManagementVulnerability ManagementThreat DetectionSupply Chain SecurityCom

155、pliance ReportingSecure Remote AccessNetwork SegmentationHighest OT cybersecurity investment areas for the year aheadRegion 2Region 1Global9(CS)2AI is organized into seven Regions.1)North America;2)Europe(Central,Western,Northern and Southern);3)Eurasia;4)Indo-Pacific;5)Middle East-North Africa;6)So

156、uthern Africa;7)Latin America-Caribbean10One possible factor here is that regulatory bodies in Europe(both national and international)have been advancing/issuing legislation requiring threat detection in multiple industries and infrastructure sectors.(CS)2Budgets High M vs Low M31The(CS)2AI-KPMG Con

157、trol System Cybersecurity Annual Report 2024We have seen that High M organizations tend to have the highest Control System Cybersecurity budgets.One theory is that the larger organizations(i.e.,those with the greater resources)are generally further along in their security journey than smaller ones.W

158、hile recognizing that the financial challenges to smaller companies allocating sufficient resources to improving their security are often greater,we also wish to point out that those same fiscal limitations may mean they have less capability to weather and recover from the impacts of damaging cyber

159、incidents.The threat of a cyber attack shutting down their operations for an extended time may be more existential to them,and their risk management processes need to take this into consideration.This correlation also highlights the need for the(CS)2space to better serve smaller customers with solut

160、ions and services that scale down to their budgets.Rod LockeDirector,Product ManagementFortinet11%7%10%6%12%7%4%5%3%4%22%3%19%3%13%6%3%6%0%0%7%10%10%6%13%9%9%3%6%6%More than$10MMore than$5MMore than$1MMore than$500KMore than$250KMore than$100KMore than$50KMore than$25KMore than$10KLess than$10K0%5%1

161、0%15%20%25%Total(CS)2budget estimations by organizations for the previous Fiscal YearLow MHigh MAll(CS)2Assessments(CS)2Assessment Frequency High M vs Low M33The(CS)2AI-KPMG Control System Cybersecurity Annual Report 2024One of the clearest differences between programs of varied maturity levels is t

162、he frequency of their control system cybersecurity assessments,with fully half of the High M programs conducting these at least quarterly while over half of Low M programs carrying these out only annually or less.That 9%of Low M programs do not or have not performed security assessments speaks for i

163、tself.25%25%6%28%0%0%3%0%3%9%7%12%9%29%7%10%12%9%1%3%MonthlyQuarterlyTwice each yearAnnuallyOnce every two yearsLess often than once every two yearsOnly in response to security incidentsNone performedDont knowOrganizational policy prevents me from answering0%5%10%15%20%25%30%35%Low MHigh MFrequency

164、of(CS)2assessments by organizations(Low M VS High M)(CS)2Assessment Frequency End Users&Vendors34The(CS)2AI-KPMG Control System Cybersecurity Annual Report 2024Vendors bear different responsibility for their security from End Users because they must protect not only themselves but their clients,who

165、often grant privileged access for ongoing monitoring,maintenance,and updates.Our team was glad to see that Vendors are carrying out(CS)2assessments so frequently,with over two-thirds(67.6%)at least Twice Each Year.Their position in the End Users supply chains makes them a very valuable target to att

166、ackers11.That the End User organizations do so less often,with their single largest group assessing only Annually(35.6%)is less encouraging.Technology,privileged personnel,attack methods and capabilities,changes occur in all of these continually and,even with IPS/IDS(Intrusion Prevention/Detection S

167、ystems)some victims only discover malefactors have accessed their networks during assessment activity.More frequent assessments can greatly reduce this dwell time and thereby potential harm of all sorts.We recommend all organizations,End User and Vendor alike,assess their(CS)2networks and assets at

168、least quarterly.19%38%11%8%8%5%5%3%9%15%9%36%5%5%7%5%MonthlyQuarterlyTwice each yearAnnuallyOnce every two yearsLess often than once every two yearsOnly in response to security incidentsNone performed0%5%10%15%20%25%30%35%40%End UsersVendors11See any of many articles reporting on the Solar Winds sup

169、ply chain attacks of 2021.Frequency of(CS)2assessments by organizations(CS)2Assessment Inclusions High M vs Low M35The(CS)2AI-KPMG Control System Cybersecurity Annual Report 2024Of no less importance than the frequency of security assessments is their thoroughness and,as this table indicates,High M

170、programs conduct more complete assessments than Low M ones on every metric we use,by at least 50%in almost every category.48%71%77%55%87%71%52%42%77%61%65%25%43%54%38%54%56%30%18%51%41%39%Comprehensive(i.e.,end-to-end)Cybersecurity roles and responsibilitiesInventory of assetsInventory of external c

171、onnectivityNetwork architecturePhysical securityReview of 3rd party Assessment of organizational Penetration TestingReview of business and financial systemsReview of cybersecurity policies and procedures(and documentation)Review of Incident Response Plan(s)Review of security awareness and training p

172、rogram(s)0%10%20%30%40%50%60%70%80%90%100%Low MHigh MComponents included in organizations(CS)2assessments(CS)2Assessment Inclusions End Users&Vendors36The(CS)2AI-KPMG Control System Cybersecurity Annual Report 2024Theres an interesting observation to be made here in that End Users appear to carry ou

173、t all these security checks more than Vendors do except for Comprehensive Assessments(End Users 26%vs Vendors 36%).This suggests that End Users assessments,while including multiple important activities(End Users:Physical Security 62%,Network Architecture 69%,Inventory of Assets 63%,etc.)are less oft

174、en complete than those of Vendors or Vendor clients.It is possible that End Users lack the end-to-end visibility needed here.It is also important to keep in mind that Vendors are often mid-stream and must consider security of their own supply chain and application security as well as what they provi

175、de their clients/customers.Every item listed in this chart addresses critical points in preventing bad actors progressing along their kill chains(or catching them as they do).We recommend developing plans including all these components,each with defined assessment and remediation cycles.36%39%39%24%

176、52%36%33%18%55%33%36%26%58%63%46%69%62%40%21%63%53%49%0%10%20%30%40%50%60%70%80%Comprehensive(i.e.,end-to-end)Cybersecurity roles and responsibilitiesInventory of assetsInventory of external connectivityNetwork architecturePhysical securityReview of 3rd party Assessment of organizational Penetration

177、 TestingReview of business and financial systemsReview of cybersecurity policies and procedures(and documentation)Review of Incident Response Plan(s)Review of security awareness and training program(s)End UsersVendorsComponents included in organizations(CS)2assessments(CS)2Assessment Responses High

178、M vs Low M37The(CS)2AI-KPMG Control System Cybersecurity Annual Report 2024To complete the triumvirate of organizations(CS)2assessment factors we investigated what they do after their analyses.Again,we see that High M programs follow through on assessment findings more often than Low M programs on e

179、very metric.Particularly notable are their actions to Develop and implement.Remediation Plans(41.0%Low M vs 67.7%High M)and Replace Vulnerable Control System Hardware,Software,Devices,Etc.(29.5%vs 61.3%).68%68%68%39%61%61%55%68%41%46%57%36%30%41%33%52%Develop and implement remediation planCybersecur

180、ity strategy updateCybersecurity roadmap/initiatives reprioritizationPenetration testingReplace vulnerable control system hardware,software,devices,etc.Procure new security technologiesReplace or upgrade security solutionsAdopt new or improved security processes0%20%40%60%80%Activities carried out/p

181、lanned in response to findings of(CS)2assessments completed by organizations within the last 12 monthsLow MHigh MReplace vulnerable control system hardware,software,devices,etc.While investments on cyber hygiene activities(work segmentation,training and vulnerability patching)are key to prevent pote

182、ntial compromise to an industrial network,it will be tough to prevent a highly motivated and technically sophisticated threat actor from accessing the network.The ability to recover fast from a cyber incident will be critical to minimize disruption to operation or supply of essentials such as electr

183、icity or water to consumers.Routine backup and recovery assessments should be reviewed to improve the cyber resiliency of critical or industrial systems.Eddie TohPartner,KPMG in Singapore and Head of Forensic Technology,KPMG in Asia PacificPre-Acquisition(CS)2Risk Assessments High M vs Low MRisk eva

184、luation on new devices and/or software is not the same as cyclical security assessments and must be considered separately.Just as we saw that organizations with High M(CS)2programs carry out overall security assessments more frequently,we note that they are more likely to conduct almost all types of

185、 pre-acquisition risk assessment(Security Questionnaire being the exception).Increased US regulatory activity is likely a factor in deltas touching on compliance for many of our respondents,but we see the high rate of Technical Testing among High M(27.9%Low M vs 81.3%High M)as positive and,since it

186、provides only snapshots,complementary to periodic security assessments.72%47%53%41%38%81%53%28%0%44%49%41%32%12%28%15%25%6%Internal review of vendor product and/or service risk profileRequire vendor to complete security questionnaireInformal discussions with vendorRequest vendor SOC 2 Type 2 report

187、or ISO27001 certificateIEC62443-4-1 ComplianceTechnical testing(e.g.vulnerability analysis,architecture review,penetrationtest,etc.)ISA/IEC 62443 part 4-2 and 3-3 requirements capabilities in productsPLC top 20 PLC coding practices for vendors and integrators providing productsand servicesNone0%20%4

188、0%60%80%100%Risk assessments performed by organizations before acquiring control system products or services(High M vs Low M)Low MHigh MTechnical testing(e.g.vulnerability analysis,architecture review,penetration test,etc.)PLC top 20 PLC coding practices for vendors and integrators providing product

189、s and service38The(CS)2AI-KPMG Control System Cybersecurity Annual Report 2024Security Training(CS)2Awareness Training Integration End Users40The(CS)2AI-KPMG Control System Cybersecurity Annual Report 2024The obvious concern here is that so many End User organizations lack any(CS)2Awareness Training

190、(16.1%Nonexistent).Whether driven by IT departments,Risk Management programs,wholly within Operations or some other design,achieving and maintaining high awareness of(CS)2threats,attack methods,vulnerabilities,and procedures is essential to managing the risks inherent in any ICS/OT operational envir

191、onment.We cannot recommend highly enough that every organization with responsibilities for assets/operations implement such programs.My organizations Control System Security Awareness Training is.Integrated with IT Security Awareness trainingIntegrated with physical security trainingA separate progr

192、am from IT or physical security trainingNonexistent(My organization does not have control system cybersecurity awareness training)39%6%34%16%(CS)2Awareness Training Integration High M vs Low M41The(CS)2AI-KPMG Control System Cybersecurity Annual Report 2024Breaking out our data by maturity level gro

193、ups reveals that it is exclusively organizations with Low Maturity(CS)2security programs lacking the relevant Awareness Training(24%Nonexistent vs 0%High M),while most of their colleagues in the High M group have Integrated IT Security and Control System Cybersecurity Awareness trainings.53%0%41%0%3

194、1%12%31%24%Integrated with IT SecurityAwareness TrainingIntegrated with Physical SecurityTrainingA separate program from IT orPhysical Security TrainingNonexistent.(My organization does not have Control System Cybersecurity Awareness Training)0%10%20%30%40%50%60%High MLow MMy organizations Control S

195、ystem Security Awareness Training is.(CS)2Training Inclusions High M vs Low M42The(CS)2AI-KPMG Control System Cybersecurity Annual Report 2024Although we did not include security training in our descriptions of the various security program maturity levels,it is clear from this chart that the High M

196、organizations invest more into ensuring a trained workforce.The only component in which the two groups are even close to one another is in the use of printed materials,which is often considered less effective than any of the others.In fact,it is in the most effective areas such as Simulations(any)an

197、d Instructor-Led Training that we see some of the largest deltas.The greater use of Security Awareness Training Effectiveness Testing(High M 77%vs Low M of 54%)should enable these companies to focus on what works best and continually improve their training programs.74%55%77%65%32%77%52%39%65%44%38%5

198、4%44%16%44%24%36%26%Phishing simulationsSocial Engineering simulationsSecurity Awareness Training Effectiveness TestingIncident Simulation(tabletop)Incident Simulation(live scenario)Computer-Based Training(CBT)Instructor-led trainingPrinted Materials(posters,flyers,newsletters,etc.)Different program

199、s for different user populations(e.g.Management,Legal,IT,OT,etc)0%10%20%30%40%50%60%70%80%90%Low MHigh MComponents included in organizations control system security related trainingDifferent programs for different user populations(e.g.Management,Legal,IT,OT,etc.)(CS)2Networks44The(CS)2AI-KPMG Contro

200、l System Cybersecurity Annual Report 2024Control System Component AccessibilityOverall,this chart and those following are quite concerning.To have so many elements of control systems accessible,even controllable,from the internet(from 15%of Low M PLCs to 39%of Low M Historians)indicates attackers ha

201、ve a very large attack surface and the potential for high impacts on these companies.Some of our SME contributors pointed out the importance of keeping in mind that“accessible”does reveal the controls on or method of that accessibility.These could be systems with ports open to the Internet(e.g.HMI l

202、ogin screen?),with remote access enabled from the Internet(e.g.VPN/RDP),or reachable from another machine exposed to the Internet(e.g.a jump host),or on a network accessible to a jump host The specifics of their accessibility and protective controls on that accessibility are critical considerations

203、in evaluating their risk levels.80%69%85%20%31%15%65%62%74%35%38%26%63%62%75%37%38%25%60%64%64%40%36%36%73%79%61%27%21%39%0%10%20%30%40%50%60%70%80%90%AllHigh MLow MAllHigh MLow MMonitoredControlledComponents Accessible from the InternetHistorianWorkstationsServersHuman Machine Interfaces(HMI)PLCs,I

204、EDs,RTUsWe do consider it curious that so many components are as frequently controllable via internet in High M organizations as in Low M ones.Indeed,Servers,HMIs and PLCs/IEDs/RTUs are more often accessible this way in the former12.This pattern continues in the following charts showing component ac

205、cessibility from Business Networks,Vendors/Integrators,and the Cloud.12The high ROI placed on network segmentation by the more mature group(75%,see chart on Top ROI High M vs Low M)may be an influence here.Control System Component Accessibility(cont.)45The(CS)2AI-KPMG Control System Cybersecurity An

206、nual Report 2024These responses indicate that outside access to control systems is prevalent todayincluding from business networks,vendors,and the cloud.Because of this increasing IT/OT convergence,it is imperative that organizations consider control system security as part of their overall security

207、 program,rather than as a separate domain.This applies both to security management programs(under standards such as IEC 62443 and ISO 27001)and to the controls used to secure and monitor these systems.In Fortinets 2023 State of Operational Technology and Cybersecurity Report,respondents indicated th

208、at OT security is part of the CISOs responsibilities in almost all organizations(95%).The reality of IT/OT convergence was also reflected in organizations view of the threat landscapewhere a strong majority of organizations(77%)viewed ransomware as a larger concern than other threats to the OT envir

209、onment.Rod LockeDirector Product ManagementFortinet47%50%52%53%50%48%51%61%51%49%39%49%48%45%56%52%55%44%41%38%40%59%62%60%59%71%57%41%29%43%0%10%20%30%40%50%60%70%80%AllHigh MLow MAllHigh MLow MMonitoredControlledComponents Accessible From Business NetworkPLCs,IEDs,RTUsHuman Machine Interfaces(HMI)

210、ServersWorkstationsHistorianControl System Component Accessibility(cont.)46The(CS)2AI-KPMG Control System Cybersecurity Annual Report 202459%67%50%41%33%50%59%64%63%41%36%37%51%57%57%49%43%43%53%60%56%47%40%44%62%54%62%38%46%38%0%10%20%30%40%50%60%70%80%AllHigh MLow MAllHigh MLow MMonitoredControlle

211、dComponents Accessible Remotely by vendor/integratorPLCs,IEDs,RTUsHuman Machine Interfaces(HMI)ServersWorkstationsHistorian65%50%67%35%50%33%63%60%61%38%40%39%58%62%64%42%38%36%54%50%58%46%50%42%67%60%70%33%40%30%0%10%20%30%40%50%60%70%80%AllHigh MLow MAllHigh MLow MMonitoredControlledComponents Acc

212、essible from CloudPLCs,IEDs,RTUsHuman Machine Interfaces(HMI)ServersWorkstationsHistorianCurrent Managed(CS)2Services High M vs Low M47The(CS)2AI-KPMG Control System Cybersecurity Annual Report 2024This years participants have again indicated that the High M organizations are more likely to either h

213、ave managed services already handling their cybersecurity(25.8%High M vs 16%Low M)or be in the process of doing so withPilot Projects(25.8%High M vs 7%Low M).13%16%6%26%26%21%37%19%7%16%We have no plans toimplement managedservices over our controlsystemsPlanning to implementwithin 12 monthsPlanning

214、to implementwithin 24 monthsPilot project is currentlyrunningManaged services already handle the cybersecurity of our control systems0%5%10%15%20%25%30%35%40%Current state of organizations managed control system security services(High M VS Low M)High MLow MUse of Managed(CS)2Services Longitudinal An

215、alysis48The(CS)2AI-KPMG Control System Cybersecurity Annual Report 2024The shift towards use of managed(CS)2services is in line with many years of our advice to readers.Training and education of internal resources has inarguable points but these are longer(and possibly less certain in the short term

216、)investments.The(CS)2workforce supply of knowledgeable and experienced practitioners has long been insufficient to meet the demands of the rapidly changing technology,practices,and growing hyperconnectivity of control system devices.That this feeds an expanding market for(CS)2services is inevitable.

217、Our recommendation for those companies with sufficient resources is to pursue both internal resource development programs and use outside expertise to address the immediate needs of protecting their assets and operations.We believe this is the best approach to improve the long-term outlook for their

218、 organizations.17%14%30%13%19%23%21%20%12%25%31%11%25%13%20%We have no plans to implement managed services over our controlsystemsPlanning to implement within 24 monthsPlanning to implement within 12 monthsPilot project is currently runningManaged services already handle the cyber security of our co

219、ntrolsystems0%5%10%15%20%25%30%35%Current state of organizations managed control system security services(Longitudinal)202020222023Managed services already handle the cybersecurity of our control systemsWe have no plans to implement managed services over our control systemsCurrent(CS)2Technologies H

220、igh M vs Low M49The(CS)2AI-KPMG Control System Cybersecurity Annual Report 2024Other than the overall trend of High M organizations using every security technology more often than the Low M group,the large deltas between the use both of Active Intrusion Prevention Systems(High M 78.1%vs Low M 36.8%)

221、and Passive Network Anomaly Detection(High M 81.3%vs Low M 36.8%)indicate a much greater likelihood that these companies will identify and block attempted incursions in shorter timespans,thus reducing potential impact on their systems.28%81%63%81%78%44%26%59%54%53%37%32%Unidirectional Gateways/Data

222、DiodesFirewallsNextGen FirewallsPassive Network Anomaly Detection(IDS)Active Intrusion Prevention Systems(IPS)Sandboxing0%10%20%30%40%50%60%70%80%90%Security technologies in use to protect organization control system assets against cyber threatsLow MHigh M(CS)2Network Monitoring Longitudinal Analysi

223、s50The(CS)2AI-KPMG Control System Cybersecurity Annual Report 2024Visibility into our control system networks is crucial to protecting those networks and connected assets.Whereas OT culture was historically resistant to introducing network monitoring technologies(understandably,due to some cases of

224、operational disruption occurring from doing so)into their environments,the tools and techniques providing this insight have continued to mature and improve,with acceptance of their risk/benefit ratio increasing.It is encouraging to see the year-over-year growth of organizations who have implemented(

225、CS)2network monitoring and plan to strengthen it,increasing from none a few years ago to 17.9%today.Organizations not planning to implement any network activity monitoring has dropped to a single digit percentage(9%)for the first time.The results show that organizations will continue to deploy and s

226、trengthen network activity monitoring into the future.The spike of organizations with no plans to implement monitoring in 2022(19%)was originally thought to be an indication of many moving into the All is monitored state;that is called into question by this years results.We will continue to pursue t

227、his puzzle.9%14%19%17%24%18%19%21%8%17%25%10%11%10%17%31%30%0%10%20%30%40%Control system network activity monitoring is notplannedPlanning to implement within 24 monthsPlanning to implement within 12 monthsPilot project is in placeAll control system network activity is monitoredAll control system ne

228、tworks are monitored and weare planning to increase the degree of monitoringwithin the next 18 monthsCurrent state of organizations Control System Network Activity Monitoring202020222023All control system networks are monitored and we are planning to increase the degree of monitoring within the next

229、 18 monthsControl system network activity monitoring is not plannedAs operational technology modernizes,the attack surface continues to expand when OT systems increasingly connect to IT systems.Threat actors will continue to employ sophisticated“Tactics,Techniques,and Procedures”and exploit it again

230、st any weak links to disrupt such systems.For example,given the breath of its functionality,Pipedream is an example of increased sophistication and capability of threat actors in disrupting industrial systems.To detect malicious activities and respond timely to such events,it will be imperative to h

231、ave visibility and continuous monitoring on the OT/IT/IIOT network.Eddie TohPartner,KPMG in Singapore andHead of Forensic Technology,KPMG in Asia Pacific(CS)2Visibility End Users51The(CS)2AI-KPMG Control System Cybersecurity Annual Report 2024Our team considers the confidence level of our largest En

232、d User respondent group(Limited Confidence,We Have Some Blind Spots 43.7%)quite realistic.Visibility into control system networks has always been an issue,and it is only in recent years that the tools to gain this important capability have become widespread.We recommend that our reader,if they have

233、not already done so,make use of these tools to overcome the blind spots and provide your(CS)2defenders with the essential knowledge they need to perform their roles.No confidence,dont know whatI dont knowLimited confidence,we have someblind spotsSomewhat confident,check routinelyVery confident,few i

234、f any weaknesses known100%confident,continuously monitor with tools7%5%21%22%44%Offline network modeling serves as the fastest and most effective method of providing comprehensive network visibility in a non-intrusive manner.It helps build an accurate understanding of the network environments that w

235、e are committed to protecting without disrupting operations.By analyzing network configurations,topologies,and security policies in an offline setting,we gain deep insights into critical communication paths and coverage gaps that might otherwise remain hidden during a live network analysis session.T

236、his method preserves the integrity and performance of the network while quickly identifying and addressing areas lacking visibility,thereby bolstering the networks defense against potential cyber threats.Robin BerthierCEO and Co-Founder,Network PerceptionConfidence in the visibility of devices,users

237、 and applications on organization networks(CS)2IncidentsThe(CS)2AI-KPMG Control System Cybersecurity Annual Report 2024(CS)2Attack Responses End UsersOur team was glad to see the level of confidence in cyberattack incident response processes among asset owner/operators(End Users),with 58%at least So

238、mewhat Confidentand most of those Very or 100%Confident.This is greater confidence than this group had in their visibility into their own networks(See previous table on Visibility).Limited confidence,we have some blind spotsConfidence in organizations response processes in the event of a cyberattack

239、53Not confident,dont know what I dont knowSomewhat confident,test process routinelyVery confident,few if any weaknesses known100%confident,continuously monitor with tools4%34%25%26%7%Recent(CS)2Incidents LongitudinalThe(CS)2AI-KPMG Control System Cybersecurity Annual Report 2024While a very slight r

240、ise in respondents involved with More than 50(CS)2incident in the past year(from 5.2%last report to 5.8%now)the obvious standout results are the large increase in answers of None(2022 14.8%vs 2023 25.4%)and decrease in 26-50(2022 19.4%vs 2023 10.1%).It is hoped that this shows results of ongoing pro

241、tection and resiliency efforts rather than ignorance or error.6%10%9%6%20%25%9%14%5%19%9%6%17%15%19%10%4%1%4%9%18%17%17%30%5025101060%)of respondents in 30-50 age range.We tend to focus heavily on the Operations group as they work most directly with the assets/systems and make up a critical bank of

242、technical knowledge and expertise which leaves with them when they retire.Preserving that generational store while keeping up to date with evolutionary developments is crucial to maintaining and improving protection of our control systems,so it is positive that cohorts in their mid and early careers

243、,those learning from more senior resources,are represented in such strong numbers.16%22%7%10%11%12%8%5%7%10%14%14%19%7%17%12%4%13%32%20%17%5%4%1%6%12%14%17%17%14%6%11%25-2930-3435-3940-4445-4950-5455-5960 or older0%5%10%15%20%25%30%35%Age ranges by Organizational LevelExecsLeadersManagementOps66The(

244、CS)2AI-KPMG Control System Cybersecurity Annual Report 2024Respondent Education LevelsThe profile of participants education is very similar to previous years.0%6%9%10%36%36%2%Less than highschool degreeHigh schooldegree orequivalent(e.g.,Trade school,GED)Some college butno degreeAssociate degree Bac

245、helor degree Graduate degreeI decline toanswer0%5%10%15%20%25%30%35%40%Highest level of education completed or the highest degree received38%48%30%14%End user(my organization usessecurity services/technologyprovided by others to protectits own operations and/orassets)Security services vendor and/orc

246、onsultancy(my organizationprovides services to protect thecontrol systemoperations/assets of others)Technology vendor(myorganization provideshardware/software to protectthe control systemoperations/assets of others)Systems Integrator0%10%20%30%40%50%60%Respondent organizations category control syste

247、m cybersecurity?Respondent Organizational CategoryNearly an even percentage swap between End User and Technology Vendor(EU down 10 points,TV up 7).Systems Integrator was a new category this year.This was a Pick-All-That-Apply(PATA)question,so the total is well over 100%.There was also an Other categ

248、ory this year,which received 5%of responses.15%15%13%12%11%10%10%10%10%8%7%6%6%6%6%6%6%6%5%5%5%5%4%4%4%4%4%4%4%3%3%3%3%0%2%4%6%8%10%12%14%16%Manufacturing-Printing and Related Support ActivitiesTransportation-PipelineTransportation-TruckHospitalsAgricultureDelivery ServicesInternet Publishing and Br

249、oadcastingManufacturing-Petroleum and Coal ProductsWarehousing and StorageManufacturing-Food/BeverageTransportation-RailArts,Entertainment,and RecreationManagement of Companies and EnterprisesManufacturing-Fabricated Metal ProductManufacturing-PharmaceuticalAerospace(including Defense)Finance/Insura

250、nceManufacturing-Electrical Equipment,Appliance,and Component Manufacturing-MachineryTelecommunicationsManufacturing-Computer and Electronic ProductProfessional,Scientific,and Technical Services(include cybersecurity services)Administrative and Support ServicesElectric Power TransmissionNatural Gas

251、DistributionOil and Gas ExtractionData Processing,Hosting,and Related ServicesManufacturing-ChemicalEducational ServicesWater,Sewage and Other SystemsGovernmentElectric Power DistributionElectric Power GenerationIndustries focused on by respondents organizationParticipation by Industry(End Users Onl

252、y)67The(CS)2AI-KPMG Control System Cybersecurity Annual Report 2024Where do organizations go to find the aid they need to protect their(CS)2assets,people,and operations?Everywhere they can,according to our respondents.The standout response of Internal IT Security Resources(56.2%)suggests that OT cyb

253、ersecurity is being driven by IT groups in most organizations,with the concomitant likelihood that IT security methods and technologies are being applied in these environments.Respondent Organization SizesBest estimates of organizations workforce size68The(CS)2AI-KPMG Control System Cybersecurity An

254、nual Report 202419%18%13%15%11%10%13%Very Small:100Small:100-500Small-Medium:500-1,000Medium:1,001 to 5,000Medium-Large:5,001 to 15,000Large:15,001 to 50,000Very Large:Over 50,000%5%10%15%20%25%Respondent Decision RolesRole in making decisions on control system security-related expenditures11%19%44%

255、16%10%ApprovingfinancialdecisionsMaking financialdecisionsInfluencingfinancialdecisionsRecommendingfinancialdecisionsNone0%5%10%15%20%25%30%35%40%45%50%14%15%36%23%11%ApprovingfinancialdecisionsMaking financialdecisionsInfluencingfinancialdecisionsRecommendingfinancialdecisionsNone0%5%10%15%20%25%30

256、%35%40%Very Small:100Small:100-500Small-Medium:500-1,000Medium:1,001 to 5,000Medium-Large:5,001 to 15,000Large:15,001 to 50,000Very Large:Over50,00Respondent Decision Roles End Users OnlyParticipant roles in making decisions on control system security-related expenditures(End Users Only)Respondent T

257、itles and Organizational Level Representation69The(CS)2AI-KPMG Control System Cybersecurity Annual Report 20244%17%3%8%2%8%3%5%1%3%2%11%6%0%1%2%3%3%7%2%11%None of the aboveICS/OT Security ConsultantProcess Control EngineerICS OT security engineer/analystOperations Director OR Plant DirectorIT/OT Arc

258、hitectSecurity Design EngineerSecurity Administrator/AnalystCapital Project LeadProject Execution LeadProduction Engineering ManagerSecurity ManagerSecurity DirectorVP of EngineeringChief Digital OfficerCompliance Officer/AuditorChief Operations Officer(COO)Chief Risk Officer(CRO)Chief Technology Of

259、ficer(CTO)Chief Security Officer(CSO)Chief information Security Officer(CISO)0%2%4%6%8%10%12%14%16%18%Respondent titles in relation to their control system security-related work70The(CS)2AI-KPMG Control System Cybersecurity Annual Report 202424%9%16%4%47%Respondent Organizational Level Representatio

260、nExecutivesLeadersManagementOperationsNoneRespondent Titles and Organizational Level Representation(cont.)71The(CS)2AI-KPMG Control System Cybersecurity Annual Report 2024Appendix B:Annual Report Steering Committee&ContributorsDerek Harp(CS)2AI Founder and ChairmanAnnual Survey&Report Chair,Co-Autho

261、rderek.harpcs2ai.orgBengt Gregory-Brown(CS)2AI Co-Founder and PresidentAnnual Survey&Report Director,Lead Designer&Analyst,Co-Authorbengt.gregory-browncs2aiWalter Risi(CS)2AI Strategic Alliance Partner LiaisonSurvey Design and Report Analysis Teams Global OT Cybersecurity LeaderKPMG International an

262、d Partner and Head of Consulting,KPMG in A.arAndrew GinterSurvey Design and Report Analysis Teams(CS)2AI Founding FellowAuthor and LecturerVP Industrial Security Waterfall Security Solutionsandrew.ginterwaterfall-72The(CS)2AI-KPMG Control System Cybersecurity Annual Report 2024We would like to thank

263、 the following people for their contributions to the analysis,design,and other work in developing this report.Ana Girdner VP of Security,CogniteBrent Huston CEO,MicroSolvedDaryl Haegley Technical Director,Control Systems Cyber Resiliency,US DoDMark Bristow Director,CIPIC MITREMichael Chipley Preside

264、nt,The PMC GroupRees Machtemes Director of Industrial Security,Waterfall Security SolutionsRod Locke Director of Product Management,FortinetSteve Mustard President&CEO,National AutomationVivek Ponnada Technology Solutions Director,Nozomi NetworksAnish Mitra,Director,KPMG in IndiaHossain Alshedoki,Di

265、rector,KPMG in Saudi Arabia Jayne Goble,Director,KPMG in the UKCraig Morris,Director,KPMG AustraliaJoshua Turner,Consultant,KPMG in JapanBrad Raiford,Director,KPMG in the USPablo Almada,Partner,KPMG in ArgentinaThomas Gronenwald,Senior Manager,KPMG in GermanyMarko Vogel,Partner,KPMG in GermanyEddie

266、Toh,Partner,KPMG in SingaporeSarah PuziewiczSenior Associate,KPMG in GermanyValentin Steinforth Cybersecurity Consultant,KPMG in GermanyAppendix C:About(CS)2AI73The(CS)2AI-KPMG Control System Cybersecurity Annual Report 2024VisionStrengthen global critical infrastructure by fostering control system

267、cybersecurity peer-to-peer networking and development.MissionAn international organization enabling peer-to-peer organizations and supporting their grassroots efforts.GoalsProfessional networkingGlobal alliancesProfessional developmentCommunity outreachLeadership opportunities(CS)2AI(See-Say”for sho

268、rt)is a rapidly growing global nonprofit association approaching 34,000 members worldwide.The premier global not-for-profit workforce development organization supporting professionals of all levels charged with securing control systems.We provide the platform for members to help members,foster meani

269、ngful peer-to-peer exchange,continue professional education and directly support cybersecurity professional development in every way.Peer-to-peer networking on a global scaleAs a member of(CS)2Al,you join a global community of Control System Cybersecurity practitioners who are motivated to improve a

270、nd develop both personally and professionally in this highly critical and consequential field.(CS)2AI delivers a venue for peer-to-peer connections,small-group interactions with leading industry experts,the sharing of experiences,challenges and best practices,and resources you need to develop and gr

271、ow.Explore the growing range of exclusive(CS)2Al member opportunities designed to help you reach the next level in your career journey.If you are not already an active member of the Control System Cybersecurity Association International,we invite you to join our members-helping-members efforts by GE

272、TTING INVOLVED today.Our association has many ways to contribute as a global member,speaker,teacher,mentor,partner,contributor,committee member,(CS)2Al Fellow or research participant.https:/www.cs2ai.orgAppendix D:Report Sponsors74The(CS)2AI-KPMG Control System Cybersecurity Annual Report 2024Tier 1

273、 SponsorKPMG Tier 3 SponsorFortinet Waterfall SecuritySolutionsTier 5 SponsorOpscuraNetwork Perception Tier 6 SponsorBridewell75The(CS)2AI-KPMG Control System Cybersecurity Annual Report 2024http:/www.cs2ai.org/The information contained herein is of a general nature and is not intended to address th

274、e circumstances of any particular individual or entity.Although we endeavor to provide accurate and timely information,there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future.No one should act on such information

275、 without appropriate professional advice after a thorough examination of the particular situation.The KPMG name and logo are trademarks used under license by the independent member firms of the KPMG global organization.KPMG refers to the global organization or to one or more of the member firms of K

276、PMG International Limited(“KPMG International”),each of which is a separate legal entity.KPMG International Limited is a private English company limited by guarantee and does not provide services to clients.For more detail about our structure please Control System Cybersecurity Association International,a.k.a.(CS)2AI names and logo are registered trademarks.2024 Control System Cybersecurity Association International,a.k.a.(CS)2AI.(CS)2AI is a 501(c)6 nonprofit organization registered in the United States of AmericaCREATE:CRT152075