The second article was a survey done by Control Engineering magazine on the global views of cyber security of the industrial controls domain. The survey revealed that almost 50% of the respondents perceive the control system threat in their organizations to be at a moderate level, but 25% cite a "high" or "severe" threat level in their systems.
So, rather than provide detailed reviews of each document, let me help aim you to the appropriate links with some summary notes added:
Risk Nexus - Beyond Data Breaches: Global Interconnections of Cyber Risk -- Zurich and Atlantic Council
One quote that I find especially telling is:
Finally, take a look at Page 8 of the report...they include 7 aggregations of cyber risk that certainly made me think:
- Internal IT enterprise (hardware, software, servers, and related people and processes)
- Counterparties and partners (relationship between competing/cooperating entities, etc.)
- Outsourced and contract (IT and cloud providers, contract manufacturing)
- Supply chain (Exposure to a single country, counterfeit or tampered products, risks of disrupted supply chain)
- Disruptive technologies (internet of things, smart grid, embedded medical devices, driverless cars...)
- Upstream infrastructure (submarine cables, internet governance and operation)
- External shocks (major international conflicts, malware pandemics)
At a minimum I'd suggest you pass this report to your Board of Directors and Executive Management so they get a sense of another view of risks that need to be addressed and mitigated.
Control Engineering Cyber Security Study - April 2014 (Registration Required)
This summary report is a collection of graphs showing the demographics of the respondents as well as the summary results of the questions.
A good summary graph of the Threats considered by the respondents is below:
If you cannot adequately read the graphic above the top three system components the respondents are most concerned about are:
- Computer assets that are running commercial operating systems
- Connections to other internal systems
- Network devices
- 24% of respondents said they had NEVER performed a systems security vulnerability test
- 25% of those surveyed indicated their computer emergency response team appears well trained and capable
- 41% agreed having industry-required standards without government involvement would improve or enable their efforts to implement proper control system cybersecurity. (So, maybe the NIST Cyber Security Framework has some hope?)