SANS Report: The State of Security in Control Systems Today

© 2015 The SANS™ Institute – www.sans.org

The State of Security in Control Systems Today: A SANS Survey Webcast

Sponsored by SurfWatch Labs and Tenable Network Security

2© 2015 The SANS™ Institute – www.sans.org

Today’s Speakers

Derek Harp, SANS Director, ICS/SCADA Security

Adam Meyer, Chief Security Analyst, SurfWatch Labs

Ted Gary, Product Marketing Manager, Tenable Network Security


Industries RepresentedIndustries

29.3%

20.7%

13.1%

5.1%

5.1%

4.8%

3.5%

3.2%

2.5%

2.5%

2.5%1.9%

1.9%1.6%

1.3% 0.6%

0.3%Industries

Energy/Utilities

Other

Business services

Engineering services

Oil and gas production/Delivery

Control system equipment manufacturer

Control systems services

High tech production

Chemical production

Health care/Hospital

Water production and distribution

Transportation

Other manufacturing

Pharmaceutical production

Food production/Food service

Mining

Wastewater


Top Threat Vectors to ICS Security

External threats (hacktivism, nation states)

Integration of IT into control system networks

Internal threat

0 0.05 0.1 0.15 0.2 0.25 0.3 0.35 0.4 0.45

42.1%

19.4%

10.6%

Top Three Threat Vectors


Lack of Visibility into ICS Networks

48.8%

32.3%

12.2%

4.9% 1.8%

Have your control system cyber assets and/or control system network ever been infected or infiltrated?

Not that we know ofYesNo, we’re sure we haven’t been infil-tratedWe’ve had suspicions but were never able to prove itWe don’t know and have no sus-picions


Technology Convergence Strategy

17.5%

35.6%

29.4%

17.5%

Does your company have a security strategy to address the convergence of information and operational technologies?

We have no strategy and no plans to develop one.We have no strategy but are de-veloping one.We have a strategy and are im-plementing it.We have a strategy in place.


Recent Breaches

1 to 2

3 to 5

6 to 10

11 to 25

26 +

Unknown/Unable to answer

0% 5% 10% 15% 20% 25% 30% 35% 40% 45%

Known Breaches in Past 12 Months

20152014


Cybersecurity Threat Level

Severe

High

Moderate

Low

0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%

How high is the current cybersecurity threat to control systems?

Decision Influencers Perception of Current ThreatDecision Makers Perception of Cur-rent Threat


Top Security Initiatives

Perform security assessment/audit

Increased security awareness training

Increased physical security

Increased security staffing

Implement intrusion detection tool

Implement intrusion prevention tools

Increased security training

Implement anomaly detection tools

Increased security consulting services

Increased background security checks

Greater mobile devices/wireless communications controls

0% 2% 4% 6% 8% 10% 12% 14% 16% 18% 20%

17.2%

15.5%

13.3%

9.9%

9.0%

8.2%

6.4%

6.0%

6.0%

3.4%

2.6%

Top Three Control System Security Initiatives


Highest Risk ComponentsN

etw

ork

devi

ces

(fire

wal

l, sw

itche

s,..

.

Com

pute

r as

sets

(H

MI,

ser

ver,

wor

...

Con

nect

ions

to

othe

r in

tern

al s

yste

m..

.

Con

trol

sys

tem

app

licat

ions

Phy

sica

l acc

ess

syst

ems

Con

nect

ions

to

the

field

SC

AD

A n

e...

Con

trol

sys

tem

com

mun

icat

ion

prot

o...

Wire

less

com

mun

icat

ion

devi

ces

and.

..

Pla

nt h

isto

rian

Em

bedd

ed c

ontr

olle

rs a

nd o

ther

com

p...

OLE

for

pro

cess

con

trol

(O

PC

)

Oth

er

0%

10%

20%

30%

40%

50%

60%

70%

80%

Of the following system components, select those that you are collecting and correlating log data from.


Highest Risk Components

Other

OLE for process control (OPC)

Plant historian

Physical access systems

Connections to the field SCADA network

Control system applications

Wireless communication devices and protocols used in the au-tomation system

Control system communication protocols used (Modbus, DNP3, Profinet, Profibus, Fieldbus, TCP/IP)

Embedded controllers and other components such as PLCs (programmable logic controllers) and IEDs (intelligent electronic

devices)

Network devices (firewall, switches, routers, gateways)

Connections to other internal systems (office networks)

Computer assets (HMI, server, workstations) running commercial operating systems (Windows, UNIX, Linux)

0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%

Which control system components do you consider at greatest risk for compromise? Rank the top three, with “1” indicating the component at greatest risk.

1 2 3


ICS Security Certification

Oth

er

GIA

C In

du

stri

al C

ybe

r...

ISA

99

/IEC

62

44

3 C

ybe

...

IAC

RB

’s C

ert

ifie

d S

...

0%

10%

20%

30%

40%

50%

60%

Do you hold any certifications relevant to control systems security? Select all that apply.


Incident ResponseIn

tern

al r

eso

urc

es

Go

vern

me

nt o

rga

niz

ati.

..

Co

ntr

ol s

yste

m v

en

do

r

Se

curi

ty c

on

sulta

nt

Cyb

ers

ecu

rity

so

lutio

n p

...

IT c

on

sulta

nt

Pe

ers

(e

.g.,

SC

AD

A o

pe

r...

SC

AD

A s

yste

m in

teg

rato

r

En

gin

ee

rin

g c

on

sulta

nt

Oth

er0%

10%

20%

30%

40%

50%

Whom do you consult in case of signs of an infection or infiltration of your control system cyber assets or network? Select all that apply.


Security Budget Size

Non

e

Less

tha

n $1

9,99

9

$20,

000–

$49,

999

$50,

000–

$99,

999

$100

,000

–$49

9,99

9

$500

,000

–$99

9,99

9

$1 m

illio

n–$2

.49

mill

ion

$2.5

mill

ion–

$9.9

9 m

illio

n

Gre

ater

tha

n $1

0 m

illio

n

0%

1%

2%

3%

4%

5%

6%

7%

8%

9%

10%

What is your organization’s total control system security budget for 2015?


Security Budget Ownership

19.4%

23.9%

45.0%

6.1%

5.6%

Who controls the control systems security budget for your company?

Information technology (IT)

Operations

Both IT and operations

Unknown

Other

Adam Meyer

Chief Security Strategist

Take a Data Driven Approach to Mitigating Your Cyber Risk

17

18

Take a Data Driven Approach to Mitigating Your Cyber Risk

19

A Look at Cybercrime Across the Board

20

Cyber Risks Facing Industrials Sector

21

Cyber Risks Facing Energy Sector

22

Cyber Risks Facing Utilities Sector

Conclusion

23

• The Top Targets: Your IT user base and web environment

• The Top Practices: Network intrusion and access control

– Inadequate patching of vulnerabilities gives “bad guys” a way in

– Insecure system configurations allow freedom of movement

• The Top Effects: Stolen or leaked data - especially personal and financial information

– The commodity appears to be data exfiltration

Thank You!

www.surfwatchlabs.com

Continuous Network Monitoring for Effective Control Systems Cybersecurity

SANS ICS Survey Webcast, June 25, 2015

Tenable provides Continuous NetworkMonitoring™ to identify vulnerabilities,

reduce risk and ensure compliance.

Our family of products includesSecurityCenter Continuous View™

and Nessus®

Gain Visibility into ICS Networks

Map all devices, physical interconnections, logical data channels, and implemented ICS protocols among devices.

Know What Is Normal

• Lack of visibility is one of the greatest barriers to securing resources

• Without awareness of normal communications and activity, it’s impossible to properly evaluate or improve security of assets

• Operations and security staff must be able to visualize and verify normal network operations

Learn More / Next Steps

• tenable.com/industries/energy• tenable.com/whitepapers/scada-network-

security-monitoring-protecting-critical-infrastructure

• tenable.com/whitepapers/definitive-guide-to-continuous-network-monitoring

• tenable.com/blog• tenable.com/evaluate

Thank you!

tenable.com


Q & A

Please use GoToWebinar’s

Questions tool to submit

questions to our panel.

Send to “Organizers”

and tell us if it’s for

a specific panelist.


Acknowledgements

Thanks to our sponsors:

SurfWatch LabsTenable Network Security

To our special guests:

Adam MeyerTed Gary

And to our attendees,

Thank you for joining us today!

SANS Report: The State of Security in Control Systems Today

Technology

security strategy

sans institute

ics security

state of security

tenable network security

sans director

chief security analyst

icsscada security adam