The State of Security in Control Systems Today: A SANS Survey Webcast Sponsored by SurfWatch Labs and Tenable Network Security © 2015 The SANS™ Institute – www.sans.org
Aug 06, 2015
© 2015 The SANS™ Institute – www.sans.org
The State of Security in Control Systems Today: A SANS Survey Webcast
Sponsored by SurfWatch Labs and Tenable Network Security
2© 2015 The SANS™ Institute – www.sans.org
Today’s Speakers
Derek Harp, SANS Director, ICS/SCADA Security
Adam Meyer, Chief Security Analyst, SurfWatch Labs
Ted Gary, Product Marketing Manager, Tenable Network Security
3© 2015 The SANS™ Institute – www.sans.org
Industries RepresentedIndustries
29.3%
20.7%
13.1%
5.1%
5.1%
4.8%
3.5%
3.2%
2.5%
2.5%
2.5%1.9%
1.9%1.6%
1.3% 0.6%
0.3%Industries
Energy/Utilities
Other
Business services
Engineering services
Oil and gas production/Delivery
Control system equipment manufacturer
Control systems services
High tech production
Chemical production
Health care/Hospital
Water production and distribution
Transportation
Other manufacturing
Pharmaceutical production
Food production/Food service
Mining
Wastewater
4© 2015 The SANS™ Institute – www.sans.org
Top Threat Vectors to ICS Security
External threats (hacktivism, nation states)
Integration of IT into control system networks
Internal threat
0 0.05 0.1 0.15 0.2 0.25 0.3 0.35 0.4 0.45
42.1%
19.4%
10.6%
Top Three Threat Vectors
5© 2015 The SANS™ Institute – www.sans.org
Lack of Visibility into ICS Networks
48.8%
32.3%
12.2%
4.9% 1.8%
Have your control system cyber assets and/or control system network ever been infected or infiltrated?
Not that we know ofYesNo, we’re sure we haven’t been infil-tratedWe’ve had suspicions but were never able to prove itWe don’t know and have no sus-picions
6© 2015 The SANS™ Institute – www.sans.org
Technology Convergence Strategy
17.5%
35.6%
29.4%
17.5%
Does your company have a security strategy to address the convergence of information and operational technologies?
We have no strategy and no plans to develop one.We have no strategy but are de-veloping one.We have a strategy and are im-plementing it.We have a strategy in place.
7© 2015 The SANS™ Institute – www.sans.org
Recent Breaches
1 to 2
3 to 5
6 to 10
11 to 25
26 +
Unknown/Unable to answer
0% 5% 10% 15% 20% 25% 30% 35% 40% 45%
Known Breaches in Past 12 Months
20152014
8© 2015 The SANS™ Institute – www.sans.org
Cybersecurity Threat Level
Severe
High
Moderate
Low
0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%
How high is the current cybersecurity threat to control systems?
Decision Influencers Perception of Current ThreatDecision Makers Perception of Cur-rent Threat
9© 2015 The SANS™ Institute – www.sans.org
Top Security Initiatives
Perform security assessment/audit
Increased security awareness training
Increased physical security
Increased security staffing
Implement intrusion detection tool
Implement intrusion prevention tools
Increased security training
Implement anomaly detection tools
Increased security consulting services
Increased background security checks
Greater mobile devices/wireless communications controls
0% 2% 4% 6% 8% 10% 12% 14% 16% 18% 20%
17.2%
15.5%
13.3%
9.9%
9.0%
8.2%
6.4%
6.0%
6.0%
3.4%
2.6%
Top Three Control System Security Initiatives
10© 2015 The SANS™ Institute – www.sans.org
Highest Risk ComponentsN
etw
ork
devi
ces
(fire
wal
l, sw
itche
s,..
.
Com
pute
r as
sets
(H
MI,
ser
ver,
wor
...
Con
nect
ions
to
othe
r in
tern
al s
yste
m..
.
Con
trol
sys
tem
app
licat
ions
Phy
sica
l acc
ess
syst
ems
Con
nect
ions
to
the
field
SC
AD
A n
e...
Con
trol
sys
tem
com
mun
icat
ion
prot
o...
Wire
less
com
mun
icat
ion
devi
ces
and.
..
Pla
nt h
isto
rian
Em
bedd
ed c
ontr
olle
rs a
nd o
ther
com
p...
OLE
for
pro
cess
con
trol
(O
PC
)
Oth
er
0%
10%
20%
30%
40%
50%
60%
70%
80%
Of the following system components, select those that you are collecting and correlating log data from.
11© 2015 The SANS™ Institute – www.sans.org
Highest Risk Components
Other
OLE for process control (OPC)
Plant historian
Physical access systems
Connections to the field SCADA network
Control system applications
Wireless communication devices and protocols used in the au-tomation system
Control system communication protocols used (Modbus, DNP3, Profinet, Profibus, Fieldbus, TCP/IP)
Embedded controllers and other components such as PLCs (programmable logic controllers) and IEDs (intelligent electronic
devices)
Network devices (firewall, switches, routers, gateways)
Connections to other internal systems (office networks)
Computer assets (HMI, server, workstations) running commercial operating systems (Windows, UNIX, Linux)
0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%
Which control system components do you consider at greatest risk for compromise? Rank the top three, with “1” indicating the component at greatest risk.
1 2 3
12© 2015 The SANS™ Institute – www.sans.org
ICS Security Certification
Oth
er
GIA
C In
du
stri
al C
ybe
r...
ISA
99
/IEC
62
44
3 C
ybe
...
IAC
RB
’s C
ert
ifie
d S
...
0%
10%
20%
30%
40%
50%
60%
Do you hold any certifications relevant to control systems security? Select all that apply.
13© 2015 The SANS™ Institute – www.sans.org
Incident ResponseIn
tern
al r
eso
urc
es
Go
vern
me
nt o
rga
niz
ati.
..
Co
ntr
ol s
yste
m v
en
do
r
Se
curi
ty c
on
sulta
nt
Cyb
ers
ecu
rity
so
lutio
n p
...
IT c
on
sulta
nt
Pe
ers
(e
.g.,
SC
AD
A o
pe
r...
SC
AD
A s
yste
m in
teg
rato
r
En
gin
ee
rin
g c
on
sulta
nt
Oth
er0%
10%
20%
30%
40%
50%
Whom do you consult in case of signs of an infection or infiltration of your control system cyber assets or network? Select all that apply.
14© 2015 The SANS™ Institute – www.sans.org
Security Budget Size
Non
e
Less
tha
n $1
9,99
9
$20,
000–
$49,
999
$50,
000–
$99,
999
$100
,000
–$49
9,99
9
$500
,000
–$99
9,99
9
$1 m
illio
n–$2
.49
mill
ion
$2.5
mill
ion–
$9.9
9 m
illio
n
Gre
ater
tha
n $1
0 m
illio
n
0%
1%
2%
3%
4%
5%
6%
7%
8%
9%
10%
What is your organization’s total control system security budget for 2015?
15© 2015 The SANS™ Institute – www.sans.org
Security Budget Ownership
19.4%
23.9%
45.0%
6.1%
5.6%
Who controls the control systems security budget for your company?
Information technology (IT)
Operations
Both IT and operations
Unknown
Other
Conclusion
23
• The Top Targets: Your IT user base and web environment
• The Top Practices: Network intrusion and access control
– Inadequate patching of vulnerabilities gives “bad guys” a way in
– Insecure system configurations allow freedom of movement
• The Top Effects: Stolen or leaked data - especially personal and financial information
– The commodity appears to be data exfiltration
Continuous Network Monitoring for Effective Control Systems Cybersecurity
SANS ICS Survey Webcast, June 25, 2015
Tenable provides Continuous NetworkMonitoring™ to identify vulnerabilities,
reduce risk and ensure compliance.
Gain Visibility into ICS Networks
Map all devices, physical interconnections, logical data channels, and implemented ICS protocols among devices.
Know What Is Normal
• Lack of visibility is one of the greatest barriers to securing resources
• Without awareness of normal communications and activity, it’s impossible to properly evaluate or improve security of assets
• Operations and security staff must be able to visualize and verify normal network operations
Learn More / Next Steps
• tenable.com/industries/energy• tenable.com/whitepapers/scada-network-
security-monitoring-protecting-critical-infrastructure
• tenable.com/whitepapers/definitive-guide-to-continuous-network-monitoring
• tenable.com/blog• tenable.com/evaluate
35© 2015 The SANS™ Institute – www.sans.org
Q & A
Please use GoToWebinar’s
Questions tool to submit
questions to our panel.
Send to “Organizers”
and tell us if it’s for
a specific panelist.