Security in Industrial Control

Systems Today:

A SANS Survey Webcast

Sponsored by Anomali, Arbor Networks, Belden, and Carbon Black

© 2016 The SANS™ Institute – www.sans.org

Survey and Report Authors:

• Derek Harp, SANS Director, ICS Security• Bengt Gregory-Brown, SANS Analyst

© 2016 The SANS™ Institute – www.sans.org

Industries Represented

2

0%

5%

10%

15%

20%

25%

30%

35%

69%

14%

17%U.S.

Europe

EverywhereElse

For the full report, see: http://bit.ly/SANSICSSecRep2016

© 2016 The SANS™ Institute – www.sans.org

Current Threat Level of ICS

3

24%

43%

23%

8%

Severe/Critical

High

Moderate

Low

For the full report, see: http://bit.ly/SANSICSSecRep2016

© 2016 The SANS™ Institute – www.sans.org

Top ICS Threat Vectors

4

0% 10% 20% 30% 40% 50% 60% 70%

External hacktivists, nation states

Internal-Unintentional

Malware

Phishing

IT/OT Integration

Internal-Intentional

Supply chain/Partners

First Second Third

For the full report, see: http://bit.ly/SANSICSSecRep2016

© 2016 The SANS™ Institute – www.sans.org

Lack of Visibility into ICS Networks

5

26.6%

13.0%52.0%

3.4%5.1%

Have your control system cyber assets and/or control system network ever been infected or infiltrated?

Yes

No, we’re sure we haven’t been infiltrated

Not that we know of

We’ve had suspicions but were never able to prove it

We don’t know and have no suspicions

For the full report, see: http://bit.ly/SANSICSSecRep2016

© 2016 The SANS™ Institute – www.sans.org

Recent ICS Security Breaches

6

0.0%

5.0%

10.0%

15.0%

20.0%

25.0%

30.0%

35.0%

40.0%

45.0%

1 to 2 3 to 5 6 to 10 11 to 25 26 + Unknown

How many times did such events occur in the past 12 months?

2014 2015 2016

For the full report, see: http://bit.ly/SANSICSSecRep2016

© 2016 The SANS™ Institute – www.sans.org

Most Recent ICS Security Assessment

7

26%

42%

31%

In past 3 months

in past 4-12 months

More than 1 yearago/Never

For the full report, see: http://bit.ly/SANSICSSecRep2016

© 2016 The SANS™ Institute – www.sans.org

Security Standards Mapping

8

47%

37%34%

27%

24%

Select all cybersecurity standards you use

NIST Guide to SCADA andIndustrial Control SystemsSecurity

20 Critical Security Controls

NERC CIP

ISO 27000 series including27001 and others

ISA99 (IndustrialAutomation and ControlSystems Security)

For the full report, see: http://bit.ly/SANSICSSecRep2016

© 2016 The SANS™ Institute – www.sans.org

Top ICS Security Initiatives

9

0% 10% 20% 30% 40% 50%

Implementation of greater controls overmobile devices/wireless communications

Acquisition of additional skilled staff

Implementation of intrusion detection tools

Implementation of anomaly detection tools

Staff training and certification

Security assessment

Security awareness training

For the full report, see: http://bit.ly/SANSICSSecRep2016

© 2016 The SANS™ Institute – www.sans.org

ICS Security Certification

10

66%

28%

12%

10%

6%

Please indicate what certifications you hold. Select all that apply.

Industrial Cyber SecurityCertification (GICSP)

ISA99 CybersecurityFundamentals SpecialistCertificate

IACRB Certified SCADASecurity Architect (CSSA)

ISA Security ComplianceInstitute (ISCI) System SecurityAssurance (SSA) Certification

ISA Security ComplianceInstitute (ISCI) EmbeddedDevice Security Assurance(EDSA) Certification

For the full report, see: http://bit.ly/SANSICSSecRep2016

© 2016 The SANS™ Institute – www.sans.org

ICS Components at Greatest Risk

11

0% 20% 40% 60%

Computer assets running commercial OS

Connections to business systems

Network devices

Connections to field SCADA network

Wireless devices/protocols

Control system communication protocols

Control system applications

For the full report, see: http://bit.ly/SANSICSSecRep2016

© 2016 The SANS™ Institute – www.sans.org

Top ICS Security Tools/Technologies

12

In Use Planned

Tool Used By Tool Planned By

Anti-malware/ Antivirus 80% Anomaly detection tools 35%

Physical controls for

access to control

systems and networks

73%

Control system

enhancements/Upgrade

services

33%

Use of zones or network

segmentation71% Application whitelisting 32%

Monitoring and log

analysis65% Vulnerability scanning 31%

Technical access

controls63%

Intrusion prevention

tools on control systems

and networks

29%

For the full report, see: http://bit.ly/SANSICSSecRep2016

ICS Security Annual Survey 2016 Report: http://bit.ly/SANSICSSecRep2016ICS Security Survey 2016 Report Webcast: http://bit.ly/SANSICSSecCast2016

Upcoming ICS WebcastsSep 7: Incorporating ICS Cybersecurity Into Water Utility Master Planning

with Jason DelySep 28: The GICSP: A Keystone ICS Security Certification

with Mike Assante, Derek Harp, Scott Cassity, et alOct 4: ICS Cyber Security as a Business Investment

with Austin ScottNov 2: Securing OT in an IT World

with Derek Harp and Bengt Gregory-BrownSponsored by Wurldtech/GE

Dec 6: Advanced Persistent Trickery in ICS Defensewith Bryce Galbraith