In 2009, Control Engineering released a survey to determine how industrial users perceive threats to their networks, and what steps they’ve taken to defend against cyber attackers. The results then suggested that companies were moving slowly in recognizing threats and preparing defenses, and one out of four industrial users reported that they saw no potential cyber threats that could affect their businesses. Much has happened in that world over the last four years, including Stuxnet and other high-profile disturbances in a variety of industries.
So the question is, have those perceptions changed in the face of what seems to be a more threatening landscape? A new cyber security perceptions and practices survey, available now, duplicates many of the questions from 2009, along with a few new ones that have emerged with the evolving picture.
Visit www.controleng.com to view this as an "On Demand Webcast," download the slides, and to take the CEU Exam. One (1) RCEP / ACEC Certified Professional Development Hour (PDH) available.
2. Related information regarding the webcast:
•Download slides:
http://www.controleng.com/index.php?id=8263
•CEU Exam: http://www.controleng.com/index.php?id=8269
•For more information on Belden: http://www.belden.com
•For more information on Honeywell:
http://www.Becybersecure.com
•For more information on another Control Engineering webcast visit
http://www.controleng.com/media-library/webcasts.html
3. RCEP standards
Control Engineering has met the standards and
requirements of the Registered Continuing
Education Program. Credit earned on
completion of this program will be reported to
RCEP at RCEP.net. A certificate of
completion will be issued to each participant.
As such, it does not include content that may
be deemed or construed to be an approval or
endorsement by RCEP.
4.
5.
6. Purpose and learning objectives
• Examine the 2013 survey results
• Discuss the implications of the answers
• Compare your own situation
• Consider strategies for mitigating threats
• Lay out steps for launching a larger
defensive program
• Questions
7. • Matt Luallen , Cyber Security
Trainer and Consultant,
Cybati
• Tim Conway, Technical
Director, ICS and SCADA,
SANS Institute
• Peter Welander, Content
Manager, Control Engineering,
CFE Media
Speakers:
11. Q: What is (are) your roles(s) in the organization?
The top 3 organization roles selected by respondents are: Process control engineer (41%); Other
(30%); and Production engineering manager (16%).
5%
2%
8%
2%
16%
7%
8%
4%
2%
41%
6%
2%
30%
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
(n=321)
13. Q: What level do you perceive the control system cyber
security threat to be?
46% of respondents reported the level of control system cyber security threat to be high or severe.
3% of respondents were unsure.
Low
12%
Moderate
39%High
35%
Severe
11%
Don't know
3%
(n=317)
14. Q: What potential system-components are you most concerned with?
24% percent of respondents reported computer assets are a potential system-components
concern, while 15% reported network devices are a concern.
24%
15%
13%
12%
12%
9%
8%
6%
1%
Computer assets (HMI, server, workstations) running commercial operating systems (Windows, Unix, Linux)
Network devices (firewall, switches, routers, gateways)
Wireless communication devices and protocols used in the automation system
Connections to other internal systems (office networks)
Embedded controllers and other components such as PLCs (program logic controllers), IED (intelligent electronic devices)
Control system communication protocols used (Modbus, DNP3, Profibus, Fieldbus, TCP/IP)
Control system applications
Connections to the field SCADA network
Other
(n=319)
15. Q: When is the last time your organization performed
any type of vulnerability assessment?
58% of respondents reported their organization has performed a vulnerability assessment within the
year or sooner, while 27% reported they have never performed an assessment.
Within past 6 months
30%
Within past year
28%
Within past 18
months
4%
Within past 2 years
11%
Never
27%
(n=316)
16. Q: Have your control system cyber assets and/or control system
network ever been infected or infiltrated in the last 12 months?
81% percent of respondents reported their organization has not had an infection or infiltration to
their control system cyber assets or network within the past 12 months.
No, 81%
Yes, 19%
(n=318)
17. Q: Does your organization have an operating computer
emergency response team to detect cyber security breach
attempts and successful cyber security breaches?
Over half (55%) of respondents reported their organization has an operating computer emergency
response team.
Yes, 55%
No, 45%
(n=318)
18. Q: Does your organization have an operating operational
response team to respond to any type of security/breach incident?
59% of respondents reported their organization has an operating operational response team.
Yes, 59%
No, 41%
(n=312)
19. Q: Does your organization currently have the capability of
performing vulnerability assessments in house without using
any external assistance?
Over half (54%) of respondents reported their organization has the capabilities of performing
vulnerability assessments without external assistance.
Yes , 54%
No, 46%
(n=314)
20. Q: Has your organization implemented a cyber change control process
that is able to prevent unauthorized and potentially vulnerable cyber
changes from taking place on your control system?
53% percent of respondents reported their organization has implemented a cyber change control
process.
Yes, 53%
No, 47%
(n=309)
21. Q: Does your organization allow access to control system
networks from smartphones and/or tablets (e.g. iPads)?
Three-fourths (75%) of respondents reported their organization does not allow access to control
system networks from smartphones and/or tablets.
No, 75%
Yes, 25%
(n=312)
22. Q: Is your organization involved in an industry where you are
compelled to implement specific information control system protections
for control system cyber assets?
Over half of respondents (53%) reported their organization is not involved in an industry
compelled to implement specific information control system protections.
No, 53%
Yes, 47%
(n=312)
23. Q: Does your organization have an accurate and complete
inventory of all information systems that reside and operate on
your control network?
68%of respondents reported their organization has an accurate and complete inventory of all
information systems on their control network.
Yes, 68%
No, 32%
(n=314)
24. Q: Does your organization protect the logical configurations of
all control system devices(e.g. PLCs, PACs, MTUs, RTUs)?
About two-thirds of respondents reported their organization protects the logical configurations of
control system devices.
Yes, 67%
No, 33%
(n=313)
25. Q: Has your organization performed an internal spear
phishing campaign?
70% of respondents reported their organization has not implemented a spear phishing
campaign.
No, 70%
Yes, 30%
(n=308)
26. Submitting Questions, Exit Survey and Archive
Question?
Type your question in the “Questions & Answers” box on the
Webcast console and click “Send.” We will get to as many
questions as we have time for.
Exit Survey:
Please take a moment to answer a few questions on our exit
survey that should pop up on your screen. We use the answers
to help make improvements to our webcast program.
Archive:
• Within 7 days, an archive with Q&A will be posted
• We will send an email to registered attendees with hyperlink
• Can also access from www.controleng.com home page
27. • Matt Luallen , Cyber Security
Trainer and Consultant,
Cybati
• Tim Conway, Technical
Director, ICS and
SCADA, SANS Institute
• Peter Welander, Content
Manager, Control
Engineering, CFE Media
Speakers:
To access the presentation slides, or to learn more about our sponsors, use the “links” option at the top of your screen. From this option, you can download the presentation, or visit our webcast sponsor, at any time. The Links tab also has information on how to get your certificate of completion. If you’re watching the presentation from the archive, you’ll see that the instructions are a little different. Simply click “Meeting Links” on your console. There will be a Q&A session after the presentations. You can use the question box to type questions to speakers during their presentations and we’ll answer as many as possible later in the broadcast. This webcast is being recorded, including the Q&A session. We’ll post the archive on the Control Engineering Website in a few days, and send you an email message with a link connecting directly to it. We are offering a professional development hour (PDH) for attending today’s event. Please fill out the evaluation form at the end of the event and once you click submit, you will be lead to a page where you can download your PDH certificate. If you are having technical problems with audio or the slides, click the Help button to bring up a list of system checks you should try before escalating to an online technician. If you need a technician, type a message into the question box and one will get to you as quickly as possible.
Control Engineering has met the standards and requirements of the Registered Continuing Education Program. Credit earned on completion of this program will be reported to RCEP at RCEP.net. A certificate of completion will be available for each participant to download upon completion of an evaluation at the end of the presentation.As such, it does not include content that may be deemed or construed to be an approval or endorsement by RCEP.
Belden
Thank you to today’s webcast sponsors; Belden and Honeywell