More misleading ICS cyber security survey results

Sept. 7, 2015

The Control Engineering 2015 Cyber Security Survey doesn’t seem to identify ICS cyber security impacts. The focus was on IT and networking devices with no mention of ICS field devices. A significant number of respondents experienced “cyber incidents” with their ICS networks – not devices. The training does not appear to be effective for ICSs.

Control Engineering reported on the 2015 Cyber Security Study ( http://www.controleng.com/single-article/high-to-severe-control-system-threat-levels/75eb37f86fa052b904ae837dd4ba4ecd.html?OCVALIDATE&ocid=784369&email=vytautas.butrimas@kam.lt )

I find the results of the survey confusing and yet consistent with most surveys on ICS cyber security. There is no identification of who participated in the survey. From the results, it appears that most of the respondents were focused on viruses, worms, and typical IT and networking equipment. The most vulnerable system components within respondents' companies were computer assets, connections to other internal systems, network devices, and wireless communication devices and protocols used in the automation systems. There is no mention of control system devices such as PLCs, IEDs, etc.

53% claimed they had experienced cyber incidents with their control system networks with 24% being aware of 5 or more attacks. If these were control system cyber incidents, I would have expected to see more actual impacts - electric outages, plant slowdowns or shutdowns, etc. However, these are control system network impacts which means they may not have actually impacted facility operation. This makes the 53% number less interesting.

Seven in 10 respondents said that they were alerted about recent cyber incidents by members of their internal organization, while 24% were disclosed by a third-party assessment, and 6% were notified by the government or other outside party. My database has more than 700 actual control system incidents though very few were identified as cyber. This makes me wonder about the 54% who said they knew who to contact in the event of a cyber incident or attack.

The cyber security training identified by Control Engineering does not appear to be effective as it is not identifying control system cyber incidents.

Joe Weiss

Sponsored Recommendations

IEC 62443 4-1 Cyber Certification – Why ML 3 is So Important

The IEC 62443 Security for Industrial Automation and Control Systems - Part 4-1: Secure Product Development Lifecycle Requirements help increase resilience for control systems...

Multi-Server SCADA Maintenance Made Easy

See how the intuitive VTScada Services Page ensures your multi-server SCADA application remains operational and resilient, even when performing regular server maintenance.

Your Industrial Historical Database Should be Designed for SCADA

VTScada's Chief Software Architect discusses how VTScada's purpose-built SCADA historian has created a paradigm shift in industry expectations for industrial redundancy and performance...

Linux and SCADA – What You May Not Have Considered

There’s a lot to keep in mind when considering the Linux® Operating System for critical SCADA systems. See how the Linux security model compares to Windows® and Mac OS®.