More misleading ICS cyber security survey results

Control Engineering reported on the 2015 Cyber Security Study ( http://www.controleng.com/single-article/high-to-severe-control-system-threat-levels/75eb37f86fa052b904ae837dd4ba4ecd.html?OCVALIDATE&ocid=784369&email=vytautas.butrimas@kam.lt )

I find the results of the survey confusing and yet consistent with most surveys on ICS cyber security. There is no identification of who participated in the survey. From the results, it appears that most of the respondents were focused on viruses, worms, and typical IT and networking equipment. The most vulnerable system components within respondents' companies were computer assets, connections to other internal systems, network devices, and wireless communication devices and protocols used in the automation systems. There is no mention of control system devices such as PLCs, IEDs, etc.

53% claimed they had experienced cyber incidents with their control system networks with 24% being aware of 5 or more attacks. If these were control system cyber incidents, I would have expected to see more actual impacts - electric outages, plant slowdowns or shutdowns, etc. However, these are control system network impacts which means they may not have actually impacted facility operation. This makes the 53% number less interesting.

Seven in 10 respondents said that they were alerted about recent cyber incidents by members of their internal organization, while 24% were disclosed by a third-party assessment, and 6% were notified by the government or other outside party. My database has more than 700 actual control system incidents though very few were identified as cyber. This makes me wonder about the 54% who said they knew who to contact in the event of a cyber incident or attack.

The cyber security training identified by Control Engineering does not appear to be effective as it is not identifying control system cyber incidents.

Joe Weiss

Show Comments
Hide Comments

Join the discussion

We welcome your thoughtful comments.
All comments will display your user name.

Want to participate in the discussion?

Register for free

Log in for complete access.

Comments

  • <p>I find this report as amusing as the recent SANS report on ICS security. It is clear that the surveys will also be skewed by the respondents. The Control Engineering survey has a much greater response from those directly responsible for industrial automation and control and the associated operational security and integrity of the manufacturing process. The SANS survey was very slanted towards an IT "view" of ICS security - typical from those removed from the day to day operations of the facility.</p> <p>Would be nice if maybe there could be some cooperation between entities on these surveys, because we all know Control Engineering / Control Global nows industrial automation and SANS knows IT!</p>

    Reply

RSS feed for comments on this page | RSS feed for all comments