More misleading ICS cyber security survey results

Sept. 7, 2015

The Control Engineering 2015 Cyber Security Survey doesn’t seem to identify ICS cyber security impacts. The focus was on IT and networking devices with no mention of ICS field devices. A significant number of respondents experienced “cyber incidents” with their ICS networks – not devices. The training does not appear to be effective for ICSs.

Control Engineering reported on the 2015 Cyber Security Study ( http://www.controleng.com/single-article/high-to-severe-control-system-threat-levels/75eb37f86fa052b904ae837dd4ba4ecd.html?OCVALIDATE&ocid=784369&email=vytautas.butrimas@kam.lt )

I find the results of the survey confusing and yet consistent with most surveys on ICS cyber security. There is no identification of who participated in the survey. From the results, it appears that most of the respondents were focused on viruses, worms, and typical IT and networking equipment. The most vulnerable system components within respondents' companies were computer assets, connections to other internal systems, network devices, and wireless communication devices and protocols used in the automation systems. There is no mention of control system devices such as PLCs, IEDs, etc.

53% claimed they had experienced cyber incidents with their control system networks with 24% being aware of 5 or more attacks. If these were control system cyber incidents, I would have expected to see more actual impacts - electric outages, plant slowdowns or shutdowns, etc. However, these are control system network impacts which means they may not have actually impacted facility operation. This makes the 53% number less interesting.

Seven in 10 respondents said that they were alerted about recent cyber incidents by members of their internal organization, while 24% were disclosed by a third-party assessment, and 6% were notified by the government or other outside party. My database has more than 700 actual control system incidents though very few were identified as cyber. This makes me wonder about the 54% who said they knew who to contact in the event of a cyber incident or attack.

The cyber security training identified by Control Engineering does not appear to be effective as it is not identifying control system cyber incidents.

Joe Weiss