One-Third of Industrial Control Systems Breached in Last Twelve Months

According to a report from SANS on the state of Industrial Control System (ICS) security, one-third of respondents (34%) said their systems had been infiltrated or infected in an attack at least twice in the last twelve months.

Of the organizations breached, nearly half (44%) said they were unable to identify the source of the infiltration, and 15% said it took them more than one month to detect the breach.

“The number of confirmed breaches is rising, but the limited ability of most ICS security systems to detect attacks, let alone reveal their source and type, is at least as big a problem as the number of attacks on operational technology systems,” said Bengt Gregory-Brown, consultant to the SANS ICS program.

“Lack of visibility into ICS systems is a problem, and one that’s growing with greater connectivity and the IT-OT integration.”

The study surveyed 314 respondents, the majority of which identified their roles as security administration/security analyst, security manager/director or officer, and security design engineer.

The study revealed that the threat of attacks carried out by external actors was the primary security concern, with 42% marking it as the top threat and 73% identifying it as being in their top three concerns.

Threats from insiders was identified by 49% of respondents as being in the top three threats, and 46% said the integration of IT systems into the ICS networks was a major risk factor.

Despite the integration concerns, only 29% of respondents said their organization has begun implementing strategies to manage the risks from convergence, 36% said their organization is currently developing strategies, and 18% said there is no strategy in place and no plans to develop one.

“We are very glad to see indications of growing collaboration between IT and ICS security staff,” says Derek Harp, director of the SANS ICS-SCADA security.

“But the number of companies lacking strategies to manage the integration of IP technologies and commercial operating systems into ICS environments is still quite high.”

In April, ICS-CERT released its annual Year In Review report (PDF), which examined the risks posed by the increase in Industrial Control Systems (ICS) that are connected to the Internet, either intentionally or by mistake.

ICS-CERT reported that they responded to 245 attacks (PDF) against U.S. based Industrial Control Systems (ICS) in the 2014 fiscal year (October 2013 to September 2014), with nearly one-third of the incidents focused on systems governing energy production and distribution.

Of the reported attacks, 32% targeted the Energy Sector, with attacks against Critical Manufacturing systems following up at a close second place at 27%, Healthcare with 6%, Water supply systems and Communications each with 6%, and Government Facilities at just over 5%.

ICS-CERT also received 159 reports of vulnerabilities identified in control systems components, and they coordinated with researchers and vendors on mitigations both domestically and abroad, with the majority affecting systems used in the Energy Sector, followed by Critical Manufacturing, Water and Wastewater.

Authentication issues, buffer overflows, and denial-of-service vulnerabilities were the most common vulnerability types, with the ‘Heartbleed’ OpenSSL vulnerability garnering the most attention through multi-vendor coordinated responses.

This post was originally published here: One-Third of Industrial Control Systems Breached in Last Twelve Months

Related article: Best practices in IT/OT integration for ICS