Ponemon: ICS Systems Improving Security Postures, But Work Left to Do

A new Ponemon Institute survey, however, found that security efforts in the sector are ramping up: 51% use formal risk assessments to identify security risks – which is higher than the broader enterprise average.

Also, the survey found a majority (86%) believe that minimizing noncompliance with laws and regulations helps meet certain business objectives – and that’s also 5% higher than the average.

“With the rapid escalation of critical infrastructure cybersecurity threats, industrial control organizations have a lot to do,” said Dwayne Melancon, CTO for survey sponsor Tripwire, in a statement. “It is encouraging that they are embracing a risk-based view of their operations at a higher than average rate.”

Risk-based security is coming onto the radar screen too: 43% measure the reduction in unplanned system downtime to assess the effectiveness of cost-containment management efforts, differing from survey average of 38%. And about half (52%) listed the “flow of upstream communications” as one of the top three features most critical to the success of a risk-based security management approach – an 8% increase over the survey average of 46%.

Even so, Melancon cautioned that this is not enough to protect ICS systems against determined attackers. For instance, only 56% listed an “openness to challenge assumptions” as one of the top three features most critical to the success of a risk-based security management approach – and this is 6% lower than the survey average of 62%.

Further, “It is imperative for this sector to get a handle on system hardening and configuration management practices to improve security and reliability,” he said. But in this regard though, the industrial sector is less effective than other industries in deploying risk management controls and communicating effectively about security.

Only 40% have fully or partially deployed security configuration management, differing from the survey average of 49%, and 75% have fully or partially deployed system hardening, which is 5% lower than the survey average of 80%.

When it comes to organizational culture, security still has a long way to go to permeating the business. Most ICS respondents (69%) said security communications are contained in only one department or line of business, differing from the survey average of 63%. And 67% said security communications occur at too low a level, differing from the survey average of 62% – indicating needed oversight from the C-level is generally lacking.

“Even though industrial sector organizations are actively considering security risks, they must also improve their willingness to elevate key risks to the executive level,” Melancon continued. “Security risks must be considered in context with overall business risk or the entire organization’s success will be in jeopardy.”

What’s Hot on Infosecurity Magazine?