More misleading ICS cyber security survey results

Sept. 7, 2015

The Control Engineering 2015 Cyber Security Survey doesn’t seem to identify ICS cyber security impacts. The focus was on IT and networking devices with no mention of ICS field devices. A significant number of respondents experienced “cyber incidents” with their ICS networks – not devices. The training does not appear to be effective for ICSs.

Control Engineering reported on the 2015 Cyber Security Study ( http://www.controleng.com/single-article/high-to-severe-control-system-threat-levels/75eb37f86fa052b904ae837dd4ba4ecd.html?OCVALIDATE&ocid=784369&email=vytautas.butrimas@kam.lt )

I find the results of the survey confusing and yet consistent with most surveys on ICS cyber security. There is no identification of who participated in the survey. From the results, it appears that most of the respondents were focused on viruses, worms, and typical IT and networking equipment. The most vulnerable system components within respondents' companies were computer assets, connections to other internal systems, network devices, and wireless communication devices and protocols used in the automation systems. There is no mention of control system devices such as PLCs, IEDs, etc.

53% claimed they had experienced cyber incidents with their control system networks with 24% being aware of 5 or more attacks. If these were control system cyber incidents, I would have expected to see more actual impacts - electric outages, plant slowdowns or shutdowns, etc. However, these are control system network impacts which means they may not have actually impacted facility operation. This makes the 53% number less interesting.

Seven in 10 respondents said that they were alerted about recent cyber incidents by members of their internal organization, while 24% were disclosed by a third-party assessment, and 6% were notified by the government or other outside party. My database has more than 700 actual control system incidents though very few were identified as cyber. This makes me wonder about the 54% who said they knew who to contact in the event of a cyber incident or attack.

The cyber security training identified by Control Engineering does not appear to be effective as it is not identifying control system cyber incidents.

Joe Weiss

Sponsored Recommendations

Make Effortless HMI and PLC Modifications from Anywhere

The tiny EZminiWiFi is a godsend for the plant maintenance engineers who need to make a minor modification to the HMI program or, for that matter, the PLC program. It's very easy...

The Benefits of Using American-Made Automation Products

Discover the benefits of American-made automation products, including stable pricing, faster delivery, and innovative features tailored to real-world applications. With superior...

50 Years of Automation Innovation and What to Expect Next

Over the past 50 years, the automation technology landscape has changed dramatically, but many of the underlying industry needs remain unchanged. To learn more about what’s changed...

Manufacturing Marvels Highlights Why EZAutomation Is a Force to Be Reckoned With

Watch EZAutomation's recent feature on the popular FOX Network series "Manufacturing Marvels" and discover what makes them a force to be reckoned with in industrial automation...