The State of Security in Control Systems Today: A SANS Survey
The control systems used to critical infrastructure facilities are increasingly vulnerable to attack, but it's almost impossible to tell how often they're breached or how it's done, according to early results from a SANS survey on the security of industrial control systems. Thirty-two percent of respondents who admitted having experienced a breach said they can't say how often they were breached; 42 percent said they weren't able to identify the source of the breaches.
“The number of confirmed breaches is rising, but the limited ability of most ICS security systems to detect attacks, let alone reveal their source and type, is at least as big a problem as the number of attacks on operational technology systems,” according to Bengt Gregory-Brown, consultant to the SANS ICS program. “Lack of visibility into ICS systems is a problem, and one that's growing with greater connectivity and the IT-OT integration.”
The increasing integration of IT into once-isolated OT systems is one of the top three threat vectors identified by security professionals polled by SANS. The threat of attack from external actors is still the biggest concern; 42 percent of respondents said outsiders are the top threat, and 73 percent said it was one of the top three. Internal threats came in second, being named by 49 percent of respondents as being in the top three threats, followed by integration of IT into control system networks, with 46 percent.
Although integration is concerning, IT and ICS are converging with greater frequency. Only 29 percent of respondents have begun implementing a strategy to manage that convergence securely; 36 percent are developing a strategy; and 18 percent have no strategy at all and don't plan to develop one.
“We are very glad to see indications of growing collaboration between IT and ICS security staff,” said Derek Harp, director of the SANS ICS-SCADA security. “But the number of companies lacking strategies to manage the integration of IP technologies and commercial operating systems into ICS environments is still quite high.”
Appropriate training is key to being able to address the security issues as IT and ICS continue to converge. Most respondents reported having IT certifications, but far fewer had ICS security-specific training. Multiple factors drive the increased targeting of control systems. To successfully protect these environments, control system and information security professionals need sufficient training, tools and support—not only so they can respond to ongoing attacks, but so they can proactively identify and implement safeguards to prevent future breaches.