SANS published their SANS SCADA and Process Control Security Survey. The results paint a very confusing picture and actually demonstrate the existing approaches to awareness and security are not working.
According to the report, "SCADA system operators are keenly aware of the risk to their systems, according to a survey of nearly 700 participants conducted by SANS Institute. In it, 70% consider the risks to their systems to be high to severe, and 33% suspect they may have had incidents." However, if 70% feel it is critical why aren't they doing more? Why is it that 33% only SUSPECT, not know, they have had incidents? My ICS cyber security incident database has more than 300 actual ICS cyber security incidents. The vast majority were not identified as cyber because the logging, forensics, and training are not available.
"More than 50% have patching and update practices. Those that use protections are doing so through access controls, monitoring and log analysis of their network devices, firewalls, and computer assets running the control systems. Unfortunately, at this time they seem unable to monitor the PLCs, terminal units and connections to field equipment due to lack of native security in the control systems themselves." Consequently, how can you have an adequate ICS cyber security when the devices that can go "boom in the night" are the systems that cannot be monitored?
"The largest response group (51%) characterized their role(s) as a security administrator/analyst, followed by network operations and system personnel." From the graph in the report, only about 15% were control systems personnel. There is a message that doesn't seem to be getting through that the domain experts are not involved.
"Those 13% that don't know whether they have been compromised have likely been infiltrated because they have no visibility; and even some of those who thought they have not been breached may have been infiltrated, but still don't know it." You can't know you have a problem if you don't or can't look. Lately, there have been many ICS cyber incidents with loss of control and loss of view (check out www.controlglobal.com/unfettered).
"The top concern selected is computer-based workstations running the controllers rather than the embedded controllers running the industrial systems. While they may be monitoring the workstations, the embedded controllers should also be protected, because they were also heavily targeted by Stuxnet and its malware kin. Unfortunately, most organizations cannot provide security capabilities-such as authentication, authorization and accounting-for these controllers because they typically do not have native security controls." Shouldn't this scare people?
As I mentioned in a recent blog, I am working with arguably the only electric utility in the United States willing to secure its control systems for reliability not a NERC CIP check mark. We will be using the utility as a test bed to evaluate ICS cyber security technologies. I am currently at the RSA Conference in San Francisco walking the halls to see who can help. It is discouraging how little technology can be used to secure these critical systems.
Joe Weiss