Control System Security Perceptions and Practices
Control Engineering cyber security bloggers puzzle over recent industrial control system security assessment survey results.
Matthew E. Luallen, CCIE, CISSP, GIAC, and Steven E. Hamburg, PE Encari
Nearly 200 responses were received to Control Engineering ’s Industrial Control Systems Cyber Security Assessment Survey that commenced in November 2009. While some trends from the responses were expected, others were quite surprising. This article will provide our analysis of the responses, starting with simple observations and concluding with analysis of less expected responses and trends.
The first surprise was that 24% indicated they do not believe there are any threats and risks associated with their information control system that could affect their business operations. This seems very puzzling since most organizations operate with the understanding that there is no such thing as 100% security. In an environment where industrial control systems are becoming more dependent upon increased connectivity, including the Internet and remote control capabilities, we expected nearly a 100% response acknowledging the presence of such risks. The most prevalent cyber security concerns expressed by nearly 20% of respondents acknowledging the presence of disconcerting risks were viruses and malicious software.
Another very surprising observation is only 53% indicated they are an “organization involved in an industry where you are compelled to implement specific information control system protections.” That leaves 47% that are not compelled to implement specific information control system protections. For the same reasons mentioned above regarding perceived risk, we expected a much higher number of responses indicating an urgency to implement specific information control system protections.
It was also surprising to see that only 50% indicate that their organization has an operating computer emergency response team to detect cyber security breach attempts and successful cyber security breaches. We find this odd in an environment where the number of cyber security threats facing industrial control systems is extremely high and has been growing dramatically in recent years. Another unexpected trend is 22% indicated they have never performed any type of vulnerability assessment. Encari recommends that organizations perform vulnerability assessments at least annually, which is reinforced by approximately 65% who indicated that they have conducted a vulnerability assessment within the past year. This has been accepted as a best practice since the cyber security threat landscape and infrastructure environments continuously change. In addition, the most prevalent industry change recently has been increased cyber capabilities and connectivity thereby necessitating such assessments. If sufficient in scope and effectively executed, they can yield strong insight into an organization’s industrial control systems cyber security posture.
Along this same line, we weren’t surprised to see that only 46% indicate that they have contracted the services of an external firm to conduct some form of a vulnerability assessment. The reality is that an organization’s internal assessment capabilities can rarely match the skills of cyber security consulting firms whose core competency is performing such assessments. When planned with an effective project scope, an assessment can be financially viable and provide profound insights into organizations’ cyber security postures. Well-performed assessments reduce overall operating costs similar to preventive medicine or Taguchi’s model of building quality (and security) in to the design. Organizations that maintain internal capabilities should consider contracting a consulting firm at least every two years, while organizations that do not have an internal capability should consider contracting a consulting firm annually.
We were pleased to see that 75% indicate that their organization either has already implemented or is deploying an information protection program. While not specified in the responses, we have a high degree of confidence that a majority of the respondents are currently implementing information protection programs. Further, based upon what we have encountered in numerous organizations, we suspect that many of the information protection programs implemented are likely insufficient. This skepticism stems from the difficulty of implementing such programs for industrial control systems and general corporate information. Statistical evidence from the Privacy Rights Clearinghouse bears this out.
Organizations generate a plethora of information that exists in many forms, including digital, hard copies, and verbally. In order to establish an effective and sufficient information protection program, it must address and apply protective controls for all sensitive information usage scenarios. For example, how does the program protect sensitive information:
Sent via email;
Stored on USB thumb drives and technician laptop computers;
Faxed to a vendor;
Printed by a network printer;
Residing in a database; and
How do you ensure that all information subject to the information protection program is labeled with its appropriate classification (e.g., “confidential,” or “secret”)? We have worked with many organizations that have established sufficiently comprehensive information protection programs but have struggled with implementation.
Security first steps
Given that we have encountered many organizations that have experienced challenges with maintaining an accurate and complete inventory of all information systems that reside and operate on control networks, we were surprised to see that 70% indicate the contrary. However, later in this article there are trends we noticed that may challenge the thought processes applied toward the responses.
It was interesting to see a somewhat uniform distribution of responses regarding the issues organizations would address first regarding the implementation of a control strategy (see pie chart graphic):
27% access control;
23% perimeter security (e.g., firewalls);
16% security policies;
14% information protection);
13% facility (i.e., physical) security; and
7% security awareness.
Since many cyber security incidents historically have resulted from human error, malicious and disgruntled employees, users with authorized cyber access, and lack of security awareness, we hoped to see a greater number of responses pertaining to security awareness. Unfortunately, it has been common to encounter organizations neglecting security awareness as a part within its overall industrial control systems security programs.
Other key results
Several other notable findings of the survey:
Of respondents indicating concerns regarding potential inappropriate information disclosure, 31% have not implemented an information protection program.
Of respondents indicating concern regarding potential exposure to viruses and malicious software, 29% are operating in the absence of a monitoring capability to detect security breach attempts and successful security breaches.
Of respondents indicating concerns regarding risk associated with cyber security threats, 48% are operating without a computer emergency response team, and 19% have never performed a vulnerability assessment.
Of respondents indicating they have an accurate and complete inventory of all information systems that reside and operate on their control networks, 30% are currently operating with no change control process that is able to prevent unauthorized and potentially vulnerable changes from taking place on their control system.
Of respondents indicating they have monitoring capability to detect security breach attempts and successful security breaches, 70% say they also have an emergency response team. Less than 5% have the emergency response team but no monitoring capability.
The various combinations of responses noted in these points indicate a lack of maturity of the responders’ industrial control system cyber security programs. This is an indication that these organizations are likely addressing cyber security concerns in isolation versus in the context of a holistic cyber security strategy. For example:
How can you effectively address concerns regarding potential virus and malicious software exposure without monitoring capability?
Why would you operate without a computer emergency response team, or why would you not perform a vulnerability assessment if you were concerned about risks associated with cyber security threats?
How can you claim to have an accurate and complete inventory of all information systems that reside and operate on control networks without a change control process?
Today’s reality is that we have a long way to go to understand and sufficiently protect our digital world to ensure continuing safety of the electronically controlled physical world. We are at a crossroads in time that requires us to push harder for resources to fix the problem and ensure that those resources are properly aligned with the most appropriate solutions. Every environment is different but the ultimate goal is the same: safe and reliable control of an efficient system. Now it is your goal individually, your company organically, and your industry collectively, to identify the appropriate path forward — a path that will continue our prosperity safely. We hope that our ongoing articles focusing on applying security defense-in-depth to industrial control systems will help achieve this ultimate goal.
Consultants Matt Luallen and Steve Hamburg are co-founders of Encari and write the Industrial Cyber Security blog for Control Engineering.