4 Days left to get a GIAC Certification Attempt Included with Online Training - Register Today!

Press


SANS Institute Announces Results of Its 2014 Survey on SCADA Industrial Control Systems Security

More Breaches Identified; Vulnerability Detection Limited; Shared Responsibility

  • Bethesda, MD
  • March 25, 2014

SANS today announced results of its 2014 Survey on control system security), sponsored by Qualys, Raytheon, Sourcefire, and Tenable Network Security, in which 268 IT professionals answered questions about their overall risk awareness, trends in threats and breaches, and effective means to mitigate vulnerabilities with regard to supervisory control and data acquisition (SCADA)/industrial control systems (ICS).

"Attacks on control systems are on the rise," says Matt Luallen, SANS Analyst and author of this survey. "Budgets for cybersecurity in SCADA ICS environments remain very slim, and organizations continue to be dependent on limited resources and staffing to detect breaches and attacks."

In the year since SANS' last survey on this topic, the number of entities with identified or suspected security breaches has increased from 28% to nearly 40%. Only 9% can say with surety that they haven't been breached.

Organizations want to be able to protect their systems and assets, which include computer systems, networks, embedded controllers, control system communication protocols and various physical assets. Respondents also noted they strive to protect public safety; increase leadership risk awareness; and expand controls pertaining to asset identification, communication channels and centralized monitoring.

Still, many organizations do not or cannot collect data from some of the most critical SCADA and ICS assets, and many depend on trained staff, not tools, to detect issues. Alarmingly, according to the survey, 16% have no process in place to detect vulnerabilities.

Interestingly, the survey noted a merging of ICS security and IT security. "Respondents indicated that ICS security is being performed by specialists reporting to both engineering and IT," says Derek Harp, business operations lead for ICS programs at SANS. "This places a real priority on cross-departmental coordination, effectively bridging competencies and building (as well as assessing) skill in an organized manner."

Results and insights surrounding control system cybersecurity will be released during a webcast on Tuesday, April 1, at 1 PM EST. To register for the complimentary webcast please visit: http://www.sans.org/info/155470

Those who register for these webcasts will be given access to an advanced copy of the associated report developed by Matt Luallen.

The SANS Analyst Program, www.sans.org/reading_room/analysts_program, is part of the SANS Institute.

Tweet this: #SCADA #ICS security pros reveal major issues, concerns in new @SANSInstitute survey report. Webcast April 1 http://bit.ly/ctl-sys-security

SANS Media Contact

About SANS Institute

The SANS Institute was established in 1989 as a cooperative research and education organization. SANS is the most trusted and, by far, the largest provider of cyber security training and certification to professionals at governments and commercial institutions world-wide. Renowned SANS instructors teach over 50 different courses at more than 200 live cyber security training events as well as online. GIAC, an affiliate of the SANS Institute, validates employee qualifications via 30 hands-on, technical certifications in information security. The SANS Technology Institute, a regionally accredited independent subsidiary, offers master's degrees in cyber security. SANS offers a myriad of free resources to the InfoSec community including consensus projects, research reports, and newsletters; it also operates the Internet's early warning system--the Internet Storm Center. At the heart of SANS are the many security practitioners, representing varied global organizations from corporations to universities, working together to help the entire information security community. (https://www.sans.org)