The report is a quick and useful read. I'd highly recommend that not only ICS Security Professionals read and digest this report but also it be shown to the skeptical executives in their organization.
So, here are some key bullets gleaned from my read:
- Top four concerns by those surveyed include:
- Ensuring reliability and availability (68%)
- Lowering risk/improving security (40%)
- Preventing damage (28%)
- Ensuring health and safety (27%)
- Rapid detection of security incidents on ICS is key because the longer the breaches remain unknown, the greater the potential impact.
- The integration of IT into control system networks was chosen by 19% of respondents as the single greatest threat vector. The top three threat vectors were a) External Threat, b) Internal Threat, and c) Integration of IT into the Control System Networks.
- 74% of respondents believe that their external connections are not fully documented. (Ugh!) Simply identifying and detailing connections and attached devices in a network is a key step to securing it.
- Another challenge highlighted in the survey is a lack of visibility into control system equipment and network activity. Thus this inhibits progress in securing assets and decreases activity in accuracy of self-evaluations.
- Know what is normal. Lack of visibility into control system networks is one of the greatest barriers to securing these resources. Without awareness of normal communications and activity, it's impossible to properly evaluate or improve security of assets. Operations and security staff must be able to visualize and verify normal network operations to detect and assess possible abnormalities and respond to potential breaches.
- Gain visibility into control system networks. Map all devices, physical interconnections, logical data channels and implemented ICS protocols among devices, including read coils, write registers, scans and time stamps. Establish a fingerprint of normal control network activity and communication, including communication patterns, schedules and protocols. Then, establish device logging, strict change management and automated log analysis based on your baseline data.
- Integrate security into procurement and decommissioning processes. Establishing security of software or devices is cheaper, easier and more effective prior to deployment. The burden of maintaining security is lighter when you start from a secure state. And, security should be included in the decommissioning and removal of devices to avoid opening serious vulnerabilities.