Concerns about security, information sharing up among industrial control system security pros

Security managers working with ICS are increasingly concerned about security

Security managers working with industrial control systems are increasingly concerned about security, and worried about insufficient information sharing in the industry, according to a new survey.

This year, 67 percent of respondents said that the threats to the control systems were moderate to severe, up from 43 percent last year, said Derek Harp, director of ISC global programs at Bethesda, MD-based SANS Institute, one of the authors of the report.

"It's a trend driven by a problem that's been getting worse," he said. "There are more incidents being reported, and more awareness at the senior levels of the companies about what their exposures are."

In fact, according to a report released by Booz Allen last week, the number if incidents reported to US authorities increased by 20 percent from 2014 to 2015. Spearphishing attacks, in particular, rose by 160 percent. Spearphishing was the initial attack vector for Operation Clandestine Wolf, one of the biggest attack campaigns of 2015, and attacks on a German steel mill and Ukrainian electricity distributors, the report said.

According to the SANS report, 27 percent of respondents said that they had a security breach, while 52 percent said that they were not aware of a breach -- only 13 percent said they were sure that they had not been infiltrated.

"Knowledge is a big problem here," said Harp. "There are a lot of undetected problems. It's widely held that most systems have had some sort of probing, but it's really hard to know if someone was in there."

These companies are being targeted by a wide variety of attackers, he said, including cybercriminals motivated by financial gain, disgruntled insiders and former employees, and nation states searching for proprietary information.

Meanwhile, the number of respondents who said they got intelligence information from industry information-sharing partnerships went down from 45 to 41 percent, and the number who said they got information from government agencies dropped even more, from 44 to 34 percent.

This could be an issue of perception, said Harp, and doesn't necessarily mean that less sharing is actually happening.

"People are starved for more information," he said. "They know that that's the way to move forward, to understand what's going on, but not be getting the information they want to be getting."

Meanwhile, there have been efforts to increase information sharing between the public and private sector, he added.

However, there are also obstacles to greater openness, he added. "There are forces that work against exposure."

They include worries about damaging a company's reputation or stock price, and about losing their jobs.

But the most disappointing statistic that came out of the survey was that 31 percent of organizations hadn't completed a security assessment in the last 12 months -- and 16 percent of responds said that their organizations have never done a security assessment of their control systems.

"People have to step up," Harp said. "This is a foundational piece. Regardless of what security strategies you might pursue, you pursue them after you have your baseline."

Hart and his colleagues will be presenting the full report at a SANS webinar on Wednesday, June 29.

Join the CSO newsletter!

Error: Please check your email address.

More about SANS Institute

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Maria Korolov

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts