###### Interested in learning more about security? ## SANS Institute InfoSec Reading Room This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission. ###### The State of Security in Control Systems Today By reading this report, ICS professionals will gain insight into the challenges facing peers, as well the approaches being employed to reduce the risk of cyberattack. ###### Copyright SANS Institute Author Retains Full Rights ----- ### The State of Security in Control Systems Today ###### A SANS Survey Written by Derek Harp and Bengt Gregory-Brown June 2015 Sponsored by SurfWatch Labs and Tenable Network Security ----- ##### y Industrial control systems (ICS), or the hardware and software that monitor and control physical equipment and processes for critical infrastructure, such as water, oil, gas, energy and utilities, as well as automated manufacturing, pharmaceutical processing and defense networks, present a wildly attractive target for those who seek to cause disruption or to threaten infrastructure for their own purposes. Because of the significant #### 44[%] #### 32[%] ----- ###### y While control system networks are not necessarily more opaque than IT systems, the available tools to map and monitor their traffic and attached devices have been less robust than their IT counterparts. It is essential that industry leaders provide their security practitioners with the tools, training and resources to gain the insight needed to #### 42[%] ----- ##### y p The 314 respondents who actively maintain, operate or provide consulting services to facilities maintaining industrial control systems, energy and utilities (29%), together with **Table 1. International Representation** **Country or Region** **Representation** United States 77.7% Europe 31.2% Asia Pacific (APAC) 26.8% Canada 22.9% Middle East 19.1% South America 17.2% Australia/New Zealand 15.3% Africa 15.0% Latin America 14.3% Antarctica region 3.8% Other 3.5% ----- ###### y p **What is your primary role in the organization?** 35% 30% 25% 20% 15% 10% 5% 0% _Figure 1. Respondent Roles_ ----- ###### y p ----- ##### y Survey respondents indicated that their primary business concern regarding the security **What are your primary business concerns when it comes to security of your control systems?** **_Rank the top three, with “1” indicating the most important driver._** 40% 35% 30% 25% 20% 15% 10% 5% 0% 1 2 3 _Figure 2. Business Concerns Related to Control System Security_ ----- ###### y **Which control system components do you consider at greatest risk for compromise?** **_Rank the top three, with “1” indicating the component at greatest risk._** Computer assets (HMI, server, workstations) running commercial operating systems (Windows, UNIX, Linux) Connections to other internal systems (office networks) Network devices (firewall, switches, routers, gateways) Embedded controllers and other components such as PLCs (programmable logic controllers) and IEDs (intelligent electronic devices) Control system communication protocols used (Modbus, DNP3, Profinet, Profibus, Fieldbus, TCP/IP) Wireless communication devices and protocols used in the automation system Control system applications Connections to the field SCADA network Physical access systems Plant historian OLE for process control (OPC) Other 0% 10% 20% 30% 40% 50% 1 2 3 _Figure 3. Components at Greatest Risk for Compromise_ ----- ###### TAKEAWAY: Don’t Forget the Data! Protect data as well as devices. Make multiple levels of backups, verify all current configuration settings and firmware, and limit access to configuration and firmware privileges. Follow strict change-control procedures when you do need to make changes. ###### y Survey respondents indicate that the focus remains on securing IT devices and applications, rather than on the industrial control system components themselves. The relative maturity of security tools and practices for general-purpose computers and commercial operating systems may be contributing to the greater attention they receive. Options for securing ICS systems and networks are newer and less tested. Still, technologies such as security information and event management (SIEM) solutions and passive network anomaly detection systems, enabling greater insight into control system networks with decreased risk of operational disruptions, have begun to grow in number and establish their safety and reliability. ###### Threat Perception Recognizing that decision influencers often deal more closely with the details of operations, we refined our survey from last year. In addition to asking for the respondents’ perceptions, we added a question to learn how decision makers and decision influencers perceived the threat. Figure 4 compares these two groups’ perceptions. **At what level does your organization perceive** **the current cybersecurity threat to control systems?** 50% 40% 30% 20% 10% 0% Decision Makers Decision Influencers _Figure 4. Threat Perceptions_ ----- ###### y Incident Detection A clear year-over-year trend emerged in respondents’ answers to our question about recent control system infiltration. It appears that more breaches are occurring, with 9% of respondents acknowledging six or more breaches in 2014, and 17% noting six or more breaches in 2015. More organizations also acknowledge the possibility of breaches ###### Without awareness of normal communications and activity, it’s impossible to properly evaluate or improve security of assets. Operations and security staff must be able to visualize and verify normal network operations to detect and assess possible abnormalities and respond to potential breaches. **Have your control system cyber assets and/or control** **system network ever been infected or infiltrated?** Not that we know of Yes No, we’re sure we haven’t been infiltrated We’ve had suspicions but were never able to prove it We don’t know and have no suspicions _Figure 5. Have your control systems been breached?_ ----- ###### y **How many times did such events occur in the past 12 months?** Unknown 1–2 3–5 6–10 11–50 More than 50 _Figure 6. Number of Breaches_ ----- ###### y For 39% of respondents, systems were breached for at least 24 hours before security staff became aware of the breach, and 20% reported that they could not determine how long the infiltration had been going on. For an additional 20%, breaches were not detected for more than a week, and 15% reported not knowing about the infiltration for more than a month, as illustrated in Figure 7. **How long (on average) after the incident began did your control systems** **security staff become aware of the situation?** 25% 20% 15% 10% 5% 0% _Figure 7. Time to Detection_ Various industry reports show that security breaches often go undetected for great lengths of time, even exceeding our greatest answer option by multiples. Such lengthy times to detection provide more than enough time for attackers to complete their reconnaissance and install any illicit monitoring, reporting or disrupting malware. Greater amounts of time also allow attackers to remove the traces that would otherwise provide forensic investigators with the clues necessary to identify them, their actions and purposes. So it comes as no surprise that 44% never identified where the infiltrations or infections took place. Either attackers covered their tracks or the investigations carried **How long (on average) after the incident began did your control systems** **security staff become aware of the situation?** 25% 20% 15% 10% 5% 0% _Figure 7. Time to Detection_ ----- ###### y **What was the identified source or sources of the infiltrations or infections?** **_Select all that apply._** 45% 40% 35% 30% 25% 20% 15% 10% 5% 0% _Figure 8. Identified Sources of Breaches_ ### 44[%] ###### Percentage of respondents unable to identify the source of at ----- ###### y Threat Vectors Despite the attacks attributed to internal sources, external actors represent the most concerning threat vectors, chosen by 42% as the top threat and by 73% as one of the top three threats. In 2014, 25% chose external actors as the top threat, and 60% included that category in the top three threats. See Table 2. **Table 2. Top Threat Vectors[13]** **2015** **2014** **Vector** **1** **2** **3** **Total** **1** **2** **3** **Total** External Threat 42% 14% 17% 73% 25% 14% 21% 60% Internal Threat 11% 14% 24% 49% 14% 9% 14% 37% Attacks from Within the Internal Network N/A N/A N/A N/A 10% 12% 12% 34% Integration of IT into Control System Networks 19% 15% 12% 46% N/A N/A N/A N/A Malware 7% 18% 16% 41% 16% 21% 16% 53% Phishing Scams 6% 11% 13% 30% 12% 14% 9% 35% Industrial Espionage 7% 15% 7% 29% 8% 12% 5% 25% Extortion 6% 8% 5% 19% 1% 3% 5% 9% Cybersecurity Policy Violations N/A N/A N/A N/A 10% 10% 13% 33% Other 3% 2% 3% 8% 3% 1% 2% 6% Nearly every other category shrank, with the exception of industrial espionage and extortion. Extortion ranked in the top three threats by 19% in 2015, up from 10% in 2014. **Table 2. Top Threat Vectors[13]** **2015** **2014** **Vector** **1** **2** **3** **Total** **1** **2** **3** **Total** External Threat 42% 14% 17% 73% 25% 14% 21% 60% Internal Threat 11% 14% 24% 49% 14% 9% 14% 37% Attacks from Within the Internal Network N/A N/A N/A N/A 10% 12% 12% 34% Integration of IT into Control System Networks 19% 15% 12% 46% N/A N/A N/A N/A Malware 7% 18% 16% 41% 16% 21% 16% 53% Phishing Scams 6% 11% 13% 30% 12% 14% 9% 35% Industrial Espionage 7% 15% 7% 29% 8% 12% 5% 25% Extortion 6% 8% 5% 19% 1% 3% 5% 9% Cybersecurity Policy Violations N/A N/A N/A N/A 10% 10% 13% 33% Other 3% 2% 3% 8% 3% 1% 2% 6% ----- ##### y g Access controls and anti-malware/antivirus continue to be the most commonly used security items in practitioners’ toolboxes, both being used by 83% of respondents. Both unidirectional (30%) and bidirectional gaps (66%) are implemented in more than twice as many environments as in 2014 (15% and 25%, respectively). Such results can be interpreted to mean an increasing number of asset owners and operators are segregating their control systems from their business counterparts, a highly important step to securing any networked system. Figure 9 provides a picture of the technologies in use and planned for implementation. **What security technologies or solutions do you currently have in use?** **What new technologies or solutions would you most want to add for control system** **security in the next 18 months? Select all that apply.** 80% 70% 60% 50% 40% 30% 20% 10% 0% Current Next 18 months _Figure 9. Technologies in Use to Protect Control Systems_ Despite economic challenges in some industrial sectors, it is notable that security awareness training has maintained both its current and forecast numbers (54% and 28%, **What security technologies or solutions do you currently have in use?** **What new technologies or solutions would you most want to add for control system** **security in the next 18 months? Select all that apply.** 80% 70% 60% 50% 40% 30% 20% 10% 0% Current Next 18 months _Figure 9. Technologies in Use to Protect Control Systems_ ----- ###### y g **What are the top three most important initiatives for increasing the security of control systems and control systems** **networks that your organization has planned for the next 18 months? Rank the top three, with “1” indicating the most important.** Perform security assessment/audit of control systems and control system networks Increased security awareness training for all workforce members with access to control systems and control system networks Implement intrusion detection tools on control system networks Increased training of staff responsible for implementing and maintaining security of control systems and control system networks Increased physical security to better control physical access to controls systems and control system networks Implement anomaly detection tools on control system networks Implement intrusion prevention tools on control system networks Increased staff responsible for implementing and maintaining security of control systems and control system networks Increased consulting services to secure control systems and control system networks Implement greater controls over mobile devices/wireless communications Increased background security checks of personnel with access to control systems and control system networks 0% 5% 10% 15% 20% 25% 1 2 3 _Figure 10. Top Initiatives for Increasing Security_ ----- ###### y g Vendor Qualification Considering the critical nature of Site Acceptance Testing (SAT) of industrial control system **How are patches and updates handled on your critical control system assets?** **_Select the most applicable method._** Vendor-validated patches installed on a regular basis Batch-processed patches during downtime Additional controls layered instead of patching Virtual patch process to alleviate issues of downtime Other _Figure 11. Patching and Updating Assets_ ----- ###### y g Data Collection The great majority of our respondents collect and correlate log data from the devices they consider most at risk: network devices and general-purpose computing devices (see Figure 12). **Of the following system components, select those that you are collecting** **and correlating log data from.** 80% 70% 60% 50% 40% 30% 20% 10% 0% _Figure 12. Log Data Collection Points_ Once again, OLE for Process Control (OPC) was rated as the least frequently monitored asset—even though it often provides communications between control systems and corporate networks. We noted last year that this role and lack of oversight makes OPC a highly attractive target for attackers seeking a point to pivot from business to operations **Of the following system components, select those that you are collecting** **and correlating log data from.** 80% 70% 60% 50% 40% 30% 20% 10% 0% _Figure 12. Log Data Collection Points_ ### 11[%] ###### Percentage of respondents collecting logs from OLE for process control (OPC) systems ----- ###### y g Network Documentation Identifying and detailing connections and attached devices in a network is a key step in securing it, yet most (74%) of respondents believe their external connections are not fully documented. Whether external connections are opened by third parties, internal operators or others, many of these connections use the Internet as a conduit, exposing critical infrastructure to direct attack. The Internet of Things[20] and Industrial Internet of Things[21] trends will continue to drive proliferation of inter-network linkages and threat exposures for the foreseeable future. Without specialized tools, tracing connections can be very time-intensive. Active scanning of control system environments can cause operational disruptions, and most active scanners are designed for identifying commercial OS vulnerabilities. ICS-specific passive traffic monitoring applications such as passive network anomaly detection systems can aid in scanning operations. ###### Assessing Security As valuable as security assessments are, they are snapshots, and their accuracy and value diminish with age. The fact that 40% of respondents last performed an assessment more than six months ago and 9% have never done a security assessment of their control systems or control networks means many organizations are working with obsolete information. Although there is no one-size-fits-all frequency to performing security assessments,[22] the risks of unknown exposures and vulnerabilities in critical infrastructure argue for minimal delays between assessments. Most (69%) of the assessments carried out in respondents’ companies are performed by internal teams. However, people with the required skills and experience are in short supply and high demand, and very few operating companies have them on staff, which calls the value of the efforts of these internal teams into question. 20 www.csoonline.com/article/2687653/data-protection/new-toolkit-seeks-routers-internet-of-things-for-ddos-botnet.html 21 www.techradar.com/news/world-of-tech/forget-smart-fridges-the-industrial-internet-of-things-is-the-real-revolution-1287276 ----- ###### y g Vulnerability Detection No single tool can cover all exposures in control system networks, and security practitioners are well-served to use a variety. The largest number of respondents (59%) monitors CERT **What processes are you using to detect vulnerabilities** **within your control system networks? Select all that apply.** 60% 50% 40% 30% 20% 10% 0% _Figure 13. Vulnerability Detection Processes_ ----- ###### y g Threat Intelligence Many respondents are following some recommended practices to detect threats aimed at their control systems: 49% have trained security staff, 45% use third-party intelligence from security vendors, 44% work with governmental agencies and 45% participate in industry information-sharing groups. Although all of these methods are valuable and complementary, they are not all in use by the same companies. As noted previously, a combination of intelligence tools is the best way to ensure asset protection. We also observed a reduction in the number of respondents who rely on their own staff for their threat intelligence needs. Monitoring and tracking the flow of information regarding threats, threat actors and active attacks—as well as analyzing that data and producing targeted intelligence relevant to the specific considerations of each company—call for a specialized set of skills not commonly found in security practitioners. ###### Incident Reporting When encountering signs of infection or infiltration, survey participants turn first to the same four groups: internal resources, government organizations, control system vendors and security consultants. A greater number of respondents consult with vendors (45%) and security consultants (38%) than in the past (37% and 33%, respectively in 2014). And they are significantly more likely to contact a cybersecurity solution provider than before (32% in 2015 compared with 21% in 2014). Figure 14 provides a complete breakdown. **Whom do you consult in case of signs of an infection or infiltration of your** **control system cyber assets or network? Select all that apply.** 80% 70% 60% 50% 40% 30% 20% 10% 0% Figure 14. Incident Response Support [Begin figure content] _Figure 14. Incident Response Support_ ----- ###### y g Security Policy Most (86%) respondents identified the individuals with responsibility for control system security policy as titled officers, including chief security officer, CIO, chief information security officer, information security officer and CEO. For 8% of respondents, no single individual set policy; rather, policy was set by committees, teams and boards. The evolving nature of the control system security landscape and the unique characteristics of each operation certainly appear to contribute to the diversity of models in use. IT and control system networks are still very different environments,[23] and a strong working knowledge of both is required to set and implement successful policies. We consider the involvement of cross-functional teams a positive indication that organizations are working to ensure inclusion of all aspects of the systems and networks involved. **Who in your organization is responsible for implementation of security** **controls around control systems? Select all that apply.** 60% 50% 40% 30% 20% 10% 0% _Figure 15. Control Implementation Responsibility_ ----- ###### y g **Which cybersecurity standards do you map your control systems to?** **_Select all that apply._** 50% 40% 30% 20% 10% 0% _Figure 16. Standards Mapping_ ----- ###### y g Systems Procurement Securing existing assets and systems is inescapably important, but a full life-cycle approach includes security in procurement. We find this year’s results encouraging in that more respondents consider cybersecurity in their automation systems procurement process. The group indicating it does not consider cybersecurity in automation systems procurement process decreased, from 9% in 2014 to 6%. Those confirming they do consider cybersecurity grew to 35% (from 32% in 2014), while those who “somewhat” do also grew to 37% (from 35% in 2014). See Figure 17. **Do you normally consider cybersecurity in your** **automation systems procurement process?** Yes—we have a very clear and reasonable list of requirements. Somewhat—we ask for compliance to as many standards as possible. Hopefully—we ask the vendors to come up with a proposal. Not really—we want to, but are not sure what to ask. No—we do not consider cybersecurity in our procurement processes. Other _Figure 17. Consideration of Cybersecurity in the Procurement Process_ This growth, however small, is a positive trend. The question of who should bear the cost of increased security can be a contentious one, with both vendors and customers presenting business cases placing the burden on the opposite party. Whether operations **Do you normally consider cybersecurity in your** **automation systems procurement process?** Yes—we have a very clear and reasonable list of requirements. Somewhat—we ask for compliance to as many standards as possible. Hopefully—we ask the vendors to come up with a proposal. Not really—we want to, but are not sure what to ask. No—we do not consider cybersecurity in our procurement processes. Other _Figure 17. Consideration of Cybersecurity in the Procurement Process_ ----- ##### g Ongoing issues arising from the continuing integration of commercial operating systems (Windows, Linux, UNIX) and open communication protocols into control system networks encouraged us to study how participants are dealing with this convergence of technologies. Considering the magnitude of the changes that drive the trend,[24] we wondered if participants have a plan as general-purpose devices and IP-based technologies continue to grow within control and automation system environments. The majority (83%) recognize the importance of having a security strategy to address the convergence of information and operational technologies. Unfortunately, only 47% actually have a strategy, as shown in Figure 18. **Does your company have a security strategy to address** **the convergence of information and operational technologies?** We have no strategy and no plans to develop one. We have no strategy but are developing one. We have a strategy and are implementing it. We have a strategy in place. _Figure 18. Strategies for IT-ICS Convergence_ ----- ##### y g **Who controls the control systems security budget for your company?** Information technology (IT) Operations Both IT and operations Unknown Other _Figure 19. Control of the Control Systems Security Budget_ 10% 8% 6% 4% 2% 0% ----- ----- ##### pp y g ----- ##### g **Derek Harp is currently the business operations lead for the Industrial Control System (ICS) programs** at SANS. He has served as a founder, CEO and advisor of startup companies for the past 16 years with a focus on cybersecurity. Derek is also a co-founder and board member of a company focused on the security technology needs of ICS asset owners. Derek is a former naval officer with experience in combat information management, communications security and intelligence. **Bengt Gregory-Brown is a consultant to the SANS ICS program and the principal analyst at Sable** Lion Ventures, LLC, a virtual accelerator focused on emerging cybersecurity solutions. He brings 20 years of experience in management of IT and infrastructure projects, enterprise security governance, information security risk analysis, regulatory compliance and policy conformance for high profile companies to bear in his writing. Bengt has managed multiple patents from ideation through the development and issuing phases. ##### Sponsors ###### SANS would like to thank this survey’s sponsors: ##### Sponsors ----- # Upcoming SANS Training **Click Here for a full list of all Upcoming SANS Events by Location** |SANS Seoul 2015|Seoul, KR|Sep 14, 2015 - Sep 19, 2015|Live Event| |---|---|---|---| |SANS Tallinn 2015|Tallinn, EE|Sep 21, 2015 - Sep 26, 2015|Live Event| |SANS Baltimore 2015|Baltimore, MDUS|Sep 21, 2015 - Sep 26, 2015|Live Event| |Data Breach Investigation Summit & Training|Dallas, TXUS|Sep 21, 2015 - Sep 26, 2015|Live Event| |SANS Perth 2015|Perth, AU|Sep 21, 2015 - Sep 26, 2015|Live Event| |SANS ICS Amsterdam 2015|Amsterdam, NL|Sep 22, 2015 - Sep 28, 2015|Live Event| |SANS Bangalore 2015|Bangalore, IN|Sep 28, 2015 - Oct 17, 2015|Live Event| |SANS Seattle 2015|Seattle, WAUS|Oct 05, 2015 - Oct 10, 2015|Live Event| |SANS DFIR Prague 2015|Prague, CZ|Oct 05, 2015 - Oct 17, 2015|Live Event| |SOS: SANS October Singapore 2015|Singapore, SG|Oct 12, 2015 - Oct 24, 2015|Live Event| |SANS Tysons Corner 2015|Tysons Corner, VAUS|Oct 12, 2015 - Oct 17, 2015|Live Event| |SANS Gulf Region 2015|Dubai, AE|Oct 17, 2015 - Oct 29, 2015|Live Event| |SANS Cyber Defense San Diego 2015|San Diego, CAUS|Oct 19, 2015 - Oct 24, 2015|Live Event| |SANS Tokyo Autumn 2015|Tokyo, JP|Oct 19, 2015 - Oct 31, 2015|Live Event| |SANS South Florida 2015|Fort Lauderdale, FLUS|Nov 09, 2015 - Nov 14, 2015|Live Event| |SANS Sydney 2015|Sydney, AU|Nov 09, 2015 - Nov 21, 2015|Live Event| |SANS London 2015|London, GB|Nov 14, 2015 - Nov 23, 2015|Live Event| |Pen Test Hackfest Summit & Training|Alexandria, VAUS|Nov 16, 2015 - Nov 23, 2015|Live Event| |SANS Hyderabad 2015|Hyderabad, IN|Nov 24, 2015 - Dec 04, 2015|Live Event| |SANS San Francisco 2015|San Francisco, CAUS|Nov 30, 2015 - Dec 05, 2015|Live Event| |SANS Cape Town 2015|Cape Town, ZA|Nov 30, 2015 - Dec 05, 2015|Live Event| |Security Leadership Summit & Training|Dallas, TXUS|Dec 03, 2015 - Dec 10, 2015|Live Event| |SANS Network Security 2015|OnlineNVUS|Sep 12, 2015 - Sep 21, 2015|Live Event| |SANS OnDemand|Books & MP3s OnlyUS|Anytime|Self Paced| -----