2017 SANS Survey - Three Ways ICS Security is Improving

2017 SANS Survey - Three Ways ICS Security is Improving

This article was updated on October 9, 2019.

How does your ICS cyber security budget compare to those of other organizations? How well are you doing, relatively speaking, in terms of detecting security breaches? And, where does your company stand in terms of managing OT/IT convergence? If you would like the answers to these questions, the good news is that the SANS Institute has a report for you.

Even better, you can download it for free. Let’s look at the three areas mentioned above, and find out where they stand in 2017, according to dozens of industrial organizations1.

Industrial Security Budgets are Stable or Growing

Budget constraints are usually the curse of new initiatives, like implementing new or improved ICS cyber security programs. To see how your budget stacks up with other organizations who have the same number of employees, see the chart below. An important point to note is that 46% of survey respondents who have funding knowledge report stable budgets, 46% report increases, and 8% report decreases. If your budget is in the last group, you now have more ammunition for making the case for a change. The control of budgets is shared across IT and OT by 39% of respondents, up from 34% in 2016. OT controls the ICS cyber security budget for 31% of respondents, while IT has control for 17% of organizations. The fact that budgeting is cross-functional for most operators is an encouraging sign, since vulnerabilities and attack vectors originate in both IT and OT systems. For those with budgets, their top priorities are:

  • 36% – Performing security assessments of control system networks
  • 36% – Increasing visibility into control system cyber assets
  • 28% – Increasing security awareness training for personnel with access to ICS
  • 27% – Implementing visibility and control tools for monitoring connected ICS devices
  • 26% – Implementing training for staff responsible for ICS cyber security (26%)
  • 22% – Implementing anomaly and intrusion detection tools

Detecting ICS Security Breaches

Breach metrics are important because threats to industrial systems are continuing to increase. Identifying breaches, their frequency and source, is important information for developing risk management strategies. A positive finding of the report is that breach recognition is increasing, with just 18% indicating they did not know how many times security events occurred on their ICS in the past 12 months, compared with 28% in 2016. Also, knowledge about “dwell time,” the period between the onset of an infiltration and its discovery, shifted down from 12% indicating unknown in 2016 to 6% indicating the same in 2017. Respondents were also able to identify the source of network infections in more cases, attributing compromises to hackers as opposed to unintentional causes 56% of the time in 2017, versus just 36% of time in 2017. These results are summarized in the table below.

IT and ICS Convergence

As enterprise and industrial systems have become more connected, and as the attack surface of ICS continues to grow, the need to utilize both IT and OT skills to truly secure an organization’s systems has increased. Of the respondents to the 2017 SANS survey, 38% indicate they have a strategy for implementing IT/OT convergence. This is almost the same percentage that share control of the ICS security budget. This is good news, and we should recognize it as such. Of the 62% that do not have a convergence strategy, the biggest challenges to advancing IT and ICS technology integration are:

  • Technical integration of legacy and aging ICS technology with modern IT systems
  • IT staff does not understand ICS operation requirements.

Bridging the IT/OT divide, caused by different backgrounds, priorities and training, is one of the biggest challenges to improving ICS security. Ways of addressing this challenge are:

  • Implement a joint ongoing training program. NIST SP 800-82 includes a section on this.
  • Consider re-organizing IT and OT people onto the same teams.

Utilize the SANS Report to Improve Your Industrial Security Program

Having carefully studied the SANS reports over the last three years, I am encouraged by this year’s results. In 2015, SANS found it necessary to describe basic ICS security controls in the report. In 2016, a key takeaway was “security for ICS has not improved in many areas and that many problems identified as high priority concerns in our past surveys remain as prevalent as ever.” The 2017 SANS report is more upbeat, with industrial security budgets stable or increasing, detection of security breaches improving, and OT/IT convergence proceeding positively in many organizations. I encourage you to download the full report, available below, and consider how its information can help you advance the ICS cyber security program in your organization. Furthermore, don’t miss our related blog “SANS ICS Survey – How SCADAguardian Tackles the Top Threats.”

1 There were 196 survey respondents, with 66% headquartered in North America, 23% in Europe and the balance distributed around the world.