Concerns about security, information sharing up among industrial control system security pros

Security managers working with industrial control systems are increasingly concerned about security, and worried about insufficient information sharing in the industry, according to a new survey.

This year, 67 percent of respondents said that the threats to the control systems were moderate to severe, up from 43 percent last year, said Derek Harp, director of ICS global programs at Bethesda, MD-based SANS Institute, one of the authors of the report.

“It’s a trend driven by a problem that’s been getting worse,” he said. “There are more incidents being reported, and more awareness at the senior levels of the companies about what their exposures are.”

In fact, according to a report released by Booz Allen last week, the number if incidents reported to US authorities increased by 20 percent from 2014 to 2015. Spearphishing attacks, in particular, rose by 160 percent. Spearphishing was the initial attack vector for Operation Clandestine Wolf, one of the biggest attack campaigns of 2015, and attacks on a German steel mill and Ukrainian electricity distributors, the report said.

According to the SANS report, 27 percent of respondents said that they had a security breach, while 52 percent said that they were not aware of a breach — only 13 percent said they were sure that they had not been infiltrated.

“Knowledge is a big problem here,” said Harp. “There are a lot of undetected problems. It’s widely held that most systems have had some sort of probing, but it’s really hard to know if someone was in there.”

These companies are being targeted by a wide variety of attackers, he said, including cybercriminals motivated by financial gain, disgruntled insiders and former employees, and nation states searching for proprietary information.

Meanwhile, the number of respondents who said they got intelligence information from industry information-sharing partnerships went down from 45 to 41 percent, and the number who said they got information from government agencies dropped even more, from 44 to 34 percent.

This could be an issue of perception, said Harp, and doesn’t necessarily mean that less sharing is actually happening.

“People are starved for more information,” he said. “They know that that’s the way to move forward, to understand what’s going on, but not be getting the information they want to be getting.”

Meanwhile, there have been efforts to increase information sharing between the public and private sector, he added.

However, there are also obstacles to greater openness, he added. “There are forces that work against exposure.”

They include worries about damaging a company’s reputation or stock price, and about losing their jobs.

But the most disappointing statistic that came out of the survey was that 31 percent of organizations hadn’t completed a security assessment in the last 12 months — and 16 percent of responds said that their organizations have never done a security assessment of their control systems.

“People have to step up,” Harp said. “This is a foundational piece. Regardless of what security strategies you might pursue, you pursue them after you have your baseline.”

Harp and his colleagues will be presenting the full report at a SANS webinar on Wednesday, June 29.