ICS Security Survey

It’s difficult to find hard data in the ICS security realm, so Industrial Defenders’ recently published survey provides some welcome data points. The survey is officially titled “Managing Automation Systems: Critical Infrastructure Operators’ Challenges & Opportunities“, but a more descriptive title is ICS Operators’ Views on Security Needs and Current Capabilities.

The survey asked 32 questions to 134 ICS owner/operators. Some breakdown information on the respondents:

  • 66% were electric/gas utility operators
  • 68% were in North America
  • 67% were in Operations, with the remaining 33% coming from the IT and corporate side

ID wisely shows the cumulative results and then breaks many of them down by Operations responses and Corporate responses to identify any differing views between Operations and IT. The biggest difference in responses from these two groups was in the expected number of “Industrial Endpoints” in the next 3 to 5 years. Corporate was much more bullish, expecting many more endpoints than Operations.

The most interesting statistic to me was, “72% of those surveyed spend less than 25% of their time per month dedicated to managing security.” The ID analysis indicated this was a problem, but since only 27% of the respondents had security as a primary responsibility it is to be expected. It also is a reminder to ICS security types that ICS security is only a small part of what an industrial engineer has to deal with on an ongoing basis.

In fact, if the respondents spent an effective 10% of their time on security it would be a positive finding. It’s better to have the system administrator / engineer integrate security responsibilities into their normal duties than have dedicated security people trying to do it all. The information security team should be providing the engineers with the tools, knowledge and support needed for the engineers to implement and maintain security.

The bulk of the survey highlights the gap between what security controls owner/operators feel are needed and where they are today. For example,

About 87% said tracking and validating changes (e.g., firewall rules, patches, user accounts) is “extremely important” or “very important” to security management; 80% for compliance/audit management and over 75% felt the same in the context of operational management.

Current Abilities: Tracking and validating changes in a unified fashion appears to be a shortfall for our survey respondents. In fact, over 72% responded to having a moderate to weak position.

The survey report is a quick nine-page read because it is full of helpful charts. Nice job by Industrial Defender to do the survey and make the results public.

Image by Sean MacEntee