Control Engineering 2015 Cyber Security Study
This study was conducted by Control Engineering to evaluate cyber security implementation, resources, and training. See 7 findings for protecting control systems.
Respondents to the Control Engineering 2015 Cyber Security Study identified seven high-level findings impacting control systems today:
- Threat levels: Forty-seven percent of respondents perceive their control systems to be moderately threatened by cyber attacks, while 25% say theirs are highly threatened and 8% are at a severe threat level.
- Most concerning threat: Malware from a random source is the most concerning control system threat for 35% of respondents. Another 18% are worried about theft of intellectual property, and 8% fear attacks from “hacktivists” with a political or environmental agenda.
- Vulnerable system components: The top most vulnerable system components within respondents’ organizations are connections to other internal systems (70%), computer assets (70%), network devices (67%), and wireless communication devices and protocols used in automation systems (60%).
- Vulnerability assessments: One in four respondents reported that their organizations have performed some type of vulnerability assessment within the past three months. The average facility has checked their vulnerabilities within the past seven months.
- Cyber-related incidents: Nearly half of respondents have experienced a malicious cyber incident into their control system networks and/or control system cyber assets—that they are aware of—within the past 24 months. Forty-three percent of these attacks were accidental infections, 8% were targeted in nature, and 38% were both accidental and targeted.
- Mobile devices: Thirty percent of organizations do not allow mobile devices—such as smart phones and tablets—to connect to networks or enter work areas, while 21% allow network access, and 15% allow them in the work areas only.
- Training: Half of respondents said their organizations train employees on identifying things that may indicate a cyber incident or attack, and another 34% train them on identifying social engineering attacks.