According to a recent research by Tripwire, Inc. through the Ponemon Institute that compared risk-based security management in the industrial segment to other industries, the industrial sector fails miserably.
While the survey was conducted in April of this year, the data was recently presented at the American Petroleum Institute Cybersecurity Conference in Houston. As 108 of the 1,320 respondents in the US and the UK participated in the industrial controls portion of the survey, it seems valuable to relay the findings. In fact, I'm relaying them because I'm somewhat shocked. They indicate that 60 percent of the industrial control industry has not deployed security configuration management.
Key findings of the industrial controls sector of the survey include:
- Only 40 percent have fully or partially deployed security configuration management -- a full 9 percent less than other survey segments
- 75 percent have fully or partially deployed system hardening -- the removal of non-essential software programs and utilities to avoid back-door access
- 69 percent indicated communications are contained in only one department or line
- 67 percent say that security communications occur at too low a level
- Only 56 percent listed an openness to challenge assumptions as being a top feature that is necessary for the success of a risk-based security management approach.
I thought this was important as we keep looking at this issue of industrial control security, and it keeps staying at the IT level. How about weighing in with some input on how to move this sector to true security?
Will it have to be based on a real and devastating attack? For example, we make the industrial world easier on a communications basis with Ethernet connections. While that's a great move for factory automation, attacks are now possible from the inside or out because of the connections.
Maybe I'm alone in thinking that this is a real problem. Am I? Again, every time I've asked readers to enlighten me, they do. Weigh in please and tell me I'm worried for nothing.