The State of Security in Control Systems Today: A SANS Survey

Bethesda, Md. – The control systems used to critical infrastructure facilities are increasingly vulnerable to attack, but it's almost impossible to tell how often they're breached or how it's done, according to early results from a SANS survey on the security of industrial control systems. Thirty-two percent of respondents who admitted having experienced a breach said they can't say how often they were breached; 42% said they weren't able to identify the source of the breaches.

"The number of confirmed breaches is rising, but the limited ability of most ICS security systems to detect attacks, let alone reveal their source and type, is at least as big a problem as the number of attacks on operational technology systems," according to Bengt Gregory-Brown, consultant to the SANS ICS program. "Lack of visibility into ICS systems is a problem, and one that's growing with greater connectivity and the IT-OT integration."

The increasing integration of IT into once-isolated OT systems is one of the top three threat vectors identified by security professionals polled by SANS. The threat of attack from external actors is still the biggest concern; 42% of respondents said outsiders are the top threat and 73% said it was one of the top three. Internal threats came in second, being named by 49% of respondents as being in the top three threats, followed by integration of IT into control system networks, with 46%.

Although integration is concerning, IT and ICS are converging with greater frequency. Only 29% of respondents have begun implementing a strategy to manage that convergence securely; 36% are developing a strategy and 18% have no strategy at all and don't plan to develop one.

"We are very glad to see indications of growing collaboration between IT and ICS security staff," says Derek Harp, director of the SANS ICS-SCADA security. "But the number of companies lacking strategies to manage the integration of IP technologies and commercial operating systems into ICS environments is still quite high."

Appropriate training is key to being able to address the security issues as IT and ICS continue to converge. Most respondents reported having IT certifications, but far fewer had ICS security-specific training. Multiple factors drive the increased targeting of control systems. To successfully protect these environments, control system and information security professionals need sufficient training, tools and support--not only so they can respond to ongoing attacks, but so they can proactively identify and implement safeguards to prevent future breaches.

Full results will be shared during a webcast on Thursday, June 25, 2015, at 1 PM EDT, sponsored by SurfWatch Labs and Tenable Network Security, and hosted by SANS. Register to attend the webcast at

Those who register for the webcast will also receive access to the published results paper developed by SANS Analyst and ICS expert Derek Harp and Bengt Gregory-Brown, a consultant to the SANS ICS program.

Tweet This

6/25 Webcast will discuss #IoT and #ICS Security fears & concerns @1pm EDT. Reg; #infosec

We know you are concerned about Control System Security. Hear survey results on 6/25. Webcast: #infosec

Jun 25: Learn what orgs are planning to increase security of control systems/networks. Webcast: #infosec

SANS Media Contact

About SANS Institute

The SANS Institute was established in 1989 as a cooperative research and education organization. Today, SANS is the most trusted and, by far, the largest provider of cyber security training and certification to professionals in government and commercial institutions world-wide. Renowned SANS instructors teach more than 60 courses at in-person and virtual cyber security training events and on demand. GIAC, an affiliate of the SANS Institute, validates practitioner skills through more than 35 hands-on, technical certifications in cyber security. The SANS Technology Institute, a regionally accredited independent subsidiary, offers a master’s degree, graduate certificates, and an undergraduate certificate in cyber security. SANS Security Awareness, a division of SANS, provides organizations with a complete and comprehensive security awareness solution, enabling them to easily and effectively manage their ‘human’ cybersecurity risk. SANS also delivers a wide variety of free resources to the InfoSec community including consensus projects, research reports, webcasts, podcasts, and newsletters; it also operates the Internet's early warning system–the Internet Storm Center. At the heart of SANS are the many security practitioners, representing varied global organizations from corporations to universities, working together to support and educate the global information security community. (