Last week McAfee and CSIS released a report titled In the Crossfire: Critical Infrastructure in the Age of Cyber War. Honestly, I dismissed it at first as marketing hype and even took some shots at it on Twitter because of the lack of real data. But they are actually very clear that it is a survey, and not even one that uses valid statistical sampling and error margins. They describe it as a “rough measure of executive opinion” which includes “600 IT and security executives from critical infrastructure enterprises across seven sectors in 14 countries”.  As much as I tried, I couldn’t ignore it. Even if you believe it’s just an attempt to keep the budget faucet flowing, the report does offer some interesting observation points.

Most of the survey is focused on the critical infrastructure organization as a whole. There are some charts that show a measure of perception or belief about things like which foreign governments are attacking them for example. Let’s save that for a future discussion — tie it into APT perhaps.

The subset of the survey respondents I want to focus on are those who indicated they have control system responsibilities (143 out of the 600, a notably smaller group). They were asked questions about measures deployed on their SCADA / ICS networks. Working in the field, we develop our own observations of different sectors based on what we see. The organizations that hire us are generally proactive about security so our data set tends to be somewhat biased. (Although I’m sure there is some level of bias for those who respond to a McAfee survey as well.) Keeping that in mind, here are a few of the more interesting data points from the survey with my comments:

Application whitelisting is more widely adopted in control system networks than IT networks

I’m actually not that surprised — it just seems like a natural fit. But then I’ve already outed myself as an application whitelisting fan. We had an interesting paper at S4 this year discussing the topic as well.

65% report using firewalls as a security measure on their control system networks

To get the full picture on this, I’d like to see it broken down by sector which wasn’t done in the report. Just another stark reminder that there’s still a lot of 101 level work to be done out there.

43% report SIEM/SEM technology is employed on their control system networks

I was surprised by this number. It’s a higher percentage than I would have guessed. Given the current status of control device security monitoring capability, however, the effectiveness of this measure is questionable.

Over 75% say their systems are connected to the Internet or other IP networks

That sounds about right. I wonder how much this will change because of security concerns raised by report like this and the possibility of dodging potential compliance requirements such as NERC CIP. Could the rate of Ethernet/IP adoption flatten out? Maybe the real question revolves around the networks that have been IP-connected for 10-12 years or longer. Will the same business drivers that pushed them into IP also push other “newer” technology – wireless, SCADA as a Service, etc…?

Beyond these points, there is a lot of confirmation of things we probably already knew. There were more attacks and greater impact reported in the Oil and Gas sector than others. The simple explanation: more connectivity equals more exposure to attack. On the other end of that continuum is the Water sector, which reports lower attack and security measure adoption numbers but also the lowest degree of IP connectivity. Again, not much explanation required there.

If you haven’t seen the report yet, here are some direct links for your convenience:

Direct link to the report

Audio commentary

Presentation slides

I leave you with this question: Given the opportunity, what would you ask 600 (or 143) IT and security executives from critical infrastructure organizations around the world?