Despite a growing number of attacks on industrial control systems (ICS), organizations are falling behind on security improvements and in many cases they refuse to share threat information with others, according to a survey conducted by the SANS Institute.
The security training company surveyed 234 individuals who work for organizations of all sizes in the energy/utilities, business services, control system services, healthcare, oil and gas, hi-tech, engineering services, transportation and other sectors in the United States and other parts of the world. The survey focused on the security of supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), process control systems (PCS), and building automation and control systems (BAS/BCS).
When asked about their organization’s control system security budget for the fiscal year 2016, one in ten respondents said they don’t have one, while 8% indicated that their budget is over $10 million. The largest percentage of respondents, roughly 15%, said their budget is between $500,000 and $1 million. In most cases, budgets either increased or remained the same compared to the previous year.
Compared to the survey conducted last year by SANS, there is a 15% increase in the number of respondents that perceive the threat level to be severe or critical. This trend has been attributed to an increase in successful high-profile attacks, such as the ones targeting Ukraine’s energy sector, and an increasing number of unsupported or unpatchable ICS products.
More than 60% of respondents named external threats, such as hacktivism and state-sponsored attacks, as one of the top threat vectors. Many are also concerned about internal threats and unintentional incidents, and malware.
Roughly a quarter of organizations admitted suffering breaches of their control network in the past 12 months. The numbers remained fairly the same as in the previous years, except for organizations that discovered more than 26 incidents in one year, which increased from 2% in 2014 to 7% in 2016.
Organizations seem to be getting better at detecting breaches, with well over half of respondents claiming that security staff became aware of the situation within 24 hours. As for the source of an intrusion or infection, most blamed hackers, followed by current employees, activists or hacktivists, organized crime, and suppliers.
Approximately one-third of respondents said company policy prevented them from providing any information about data breaches, despite the fact that the survey was anonymous and no details were requested.
“Regardless of whether policies actually prevent providing this information, restrictions on sharing incident information hinders the work of those striving to secure and defend control systems and their networks by making it more difficult both to gather resources to address control system security issues and to focus those resources on the best targets,” SANS said in its report.
When it comes to business concerns related to ICS security, a majority of respondents named ensuring the reliability and availability of control systems as their top concern, followed by lowering risk, ensuring the safety of employees, and meeting regulatory compliance.
While more than half of the professionals who took part in the SANS survey claimed that at least 75% of their external network connections are fully documented, others either don’t know or admit that there could be many undocumented connections from control systems to the outside world.
Experts believe regular security assessments are very important for a secure ICS environment, yet 31% of organizations haven’t completed an assessment in the past year and some admitted that they had never performed one.
As for the tools used to protect ICS networks, the most common are anti-malware products, physical access controls, zones or network segmentation, monitoring and log analysis, and technical access controls. Roughly one-third of companies plan on implementing anomaly detection tools, control system enhancements, application whitelisting, vulnerability scanning, and intrusion prevention tools for control systems and networks.
However, experts pointed out that there is only a slight improvement in the use of security technologies and solutions compared to last year. While an increase of 20% was expected in the use of monitoring and log analysis, and application whitelisting, the actual growth is just roughly 10%. Growth in security awareness training, vulnerability scanning, and anomaly detection tools also failed to materialize.
The complete SANS 2016 State of ICS Security Survey will be published by the SANS Institute later this month.