ICS Security Knowledge Low: Report

Friday, June 26, 2015 @ 04:06 PM gHale

Knowledge is power and a key aspect in keeping bad guys out of a manufacturing enterprise.

However, knowledge appears to be missing when it comes to security as 32 percent of respondents to a new survey said they experienced a breach, but were not sure how many times. In addition, 44 percent were unable to identify the source of the attack, according to a new survey from the SANS Institute.

Understanding a Botnet Lifecycle
Boards More Active with Security
Malware Injection Prevalent on eCommerce Sites
Malware May: Most Threats Recorded in ‘15

The results came from a survey of 314 respondents from across several industries that actively maintain, operate or provide consulting services to facilities maintaining industrial control systems.

While different reports vary as to whether insiders or outsiders pose the biggest threat to industrial control systems, in the SANS report, 42 percent see external attackers as the top threat vector, while 19 percent see integration of IT into control system networks as the top threat and 11 percent see insider threats.

Survey respondents said their primary business concern regarding the security of control systems was ensuring the reliability and availability of control systems (35 percent). This was followed by ensuring the health and safety of employees (15 percent) followed, then lowering of risk/improving security at 13 percent.

What area did respondents think was the greatest risk?

General-purpose computing assets (human–machine interface [HMI], server, workstations) running commercial OSes are at greatest risk of compromise at 44 percent. Penetration and assessment teams often find routes into control system networks through corporate IT, which was second at 14 percent.

ICS Security issues are not going away, and in fact, could be growing.

It appears more breaches are occurring, with 9 percent of respondents acknowledging six or more breaches in 2014, and 17 percent noting six or more breaches in 2015. More organizations also acknowledge the possibility of breaches taking place without their knowledge.

Flying in the face of transparency, due to company policy, 24 percent of respondents were unable to answer whether they suffered an attack.

For 39 percent of respondents, systems ended up breached for at least 24 hours before security staff became aware of the breach, and 20 percent said they could not determine how long the infiltration had been going on. For an additional 20 percent, they did not detect breaches for more than a week, and 15 percent reported not knowing about the infiltration for more than a month.

Click here to view the SANS report.