The Unisys Ponemon study – is it actually relevant to ICSs

July 19, 2014

Unisys sponsored a report by the Ponemon Institute: “Critical Infrastructure: Security Preparedness and Maturity”. It is being widely quoted even thought there was little Operational input and many of the questions were not relevant control systems. Consequently, the results need to be questioned as to their relevance.

Unisys sponsored a report by the Ponemon Institute: “Critical Infrastructure: Security Preparedness and Maturity”. The front of the report shows control systems in a process facility. Consequently, the implication is this report is addressing control systems.

It is important to understand the validity of the observations and conclusions as this report is being widely quoted. The report states that 57% of the respondents felt that ICS/SCADA were more at risk and 67% claim that they had cyber compromises over the past year with either confidential information or disruption to operations. Yet from Pie Chart 2, at most 20% of the respondents were directly responsible for control systems. Many of the questions that were asked do not make sense for ICSs and it is also not clear to me how a number of the questions can have answers that total more than 100%. It also is not clear how many of the SCADA/ICS networks were even being monitored? If there were disruption to Operations, the impacts should be obvious with potential physical damage.

To me, the real question is if these are Corporate network issues not control system issues. Some of the questions strongly imply that control system networks have been connected to Corporate networks. For example, why ask questions about e-mail servers? The way some of the questions were asked leads me to believe that the IT organizations may be responsible for some of the control system compromises. Certainly the issue of “maturity” needs to be asked in a different way – how mature are these Corporate organizations in what they are doing TO the ICSs.

This is the second Ponemon report dealing with critical infrastructure that did not have significant ICS input. Consequently, I have discussed my concerns with Larry Ponemon about the need for a report on ICS that has significant ICS involvement and asks the appropriate questions for ICS cyber security.

Joe Weiss