The Unisys Ponemon study – is it actually relevant to ICSs

July 19, 2014

Unisys sponsored a report by the Ponemon Institute: “Critical Infrastructure: Security Preparedness and Maturity”. It is being widely quoted even thought there was little Operational input and many of the questions were not relevant control systems. Consequently, the results need to be questioned as to their relevance.

Unisys sponsored a report by the Ponemon Institute: “Critical Infrastructure: Security Preparedness and Maturity”. The front of the report shows control systems in a process facility. Consequently, the implication is this report is addressing control systems.

It is important to understand the validity of the observations and conclusions as this report is being widely quoted. The report states that 57% of the respondents felt that ICS/SCADA were more at risk and 67% claim that they had cyber compromises over the past year with either confidential information or disruption to operations. Yet from Pie Chart 2, at most 20% of the respondents were directly responsible for control systems. Many of the questions that were asked do not make sense for ICSs and it is also not clear to me how a number of the questions can have answers that total more than 100%. It also is not clear how many of the SCADA/ICS networks were even being monitored? If there were disruption to Operations, the impacts should be obvious with potential physical damage.

To me, the real question is if these are Corporate network issues not control system issues. Some of the questions strongly imply that control system networks have been connected to Corporate networks. For example, why ask questions about e-mail servers? The way some of the questions were asked leads me to believe that the IT organizations may be responsible for some of the control system compromises. Certainly the issue of “maturity” needs to be asked in a different way – how mature are these Corporate organizations in what they are doing TO the ICSs.

This is the second Ponemon report dealing with critical infrastructure that did not have significant ICS input. Consequently, I have discussed my concerns with Larry Ponemon about the need for a report on ICS that has significant ICS involvement and asks the appropriate questions for ICS cyber security.

Joe Weiss

Sponsored Recommendations

Measurement instrumentation for improving hydrogen storage and transport

Hydrogen provides a decarbonization opportunity. Learn more about maximizing the potential of hydrogen.

Get Hands-On Training in Emerson's Interactive Plant Environment

Enhance the training experience and increase retention by training hands-on in Emerson's Interactive Plant Environment. Build skills here so you have them where and when it matters...

Learn About: Micro Motion™ 4700 Config I/O Coriolis Transmitter

An Advanced Transmitter that Expands Connectivity

Learn about: Micro Motion G-Series Coriolis Flow and Density Meters

The Micro Motion G-Series is designed to help you access the benefits of Coriolis technology even when available space is limited.