High to severe control system threat levels
One in four respondents to the Control Engineering 2015 Cyber Security Study identified a high cyber security threat to their control system. Four additional findings from the study related to threats to control systems are below.
One in four respondents to the Control Engineering 2015 Cyber Security Study identified a high cyber security threat to their control systems, while another 8% said their systems are severely threatened. Of these respondents, the most concerning threats to these at-risk control systems are attacks as part of a larger attempt to disrupt critical infrastructure (29%), malware from a random source with no specific connection to their company or industry (22%), and attacks through an unfamiliar yet vulnerable network device (18%). Below are four more findings from this study as they relate to highly or severely threatened control systems:
- Vulnerable system components: The most vulnerable system components within respondents' companies are computer assets (55%), connections to other internal systems (50%), network devices (49%), and wireless communication devices and protocols used in the automation system (46%).
- Vulnerability assessments: Thirty-seven percent of respondents reported that their companies have performed some type of vulnerability assessment within the past 3 months. The average facility has checked their vulnerabilities within the past 5 months.
- Cyber-related incidents: Fifty-three percent of respondents have experienced at least one malicious cyber attack on their control system networks and/or cyber assets—that they were aware of-within the past 24 months, with 24% being aware of five or more attacks. Thirty-two percent of these incidents were accidental infections, 14% were targeted in nature, and 50% were both accidental and targeted.
- Identifying cyber incidents: Seven in 10 respondents said that they were alerted about recent cyber incidents by members of their internal organization, while 24% were disclosed by a third-party assessment, and 6% were notified by the government or other outside party.