Shortly after the Industroyer malware has frightened IC security practitioners around the world with its unique ability to affect industrial control systems (ICS) directly, the SANS Institute’s research proves that ICS security is indeed a serious issue.

The recent research “Securing Industrial Control Systems—2017” by SANS Institute is based on polling hundreds of professionals in the field of ICS security. Its goal is to gather related information and map the attitudes of industrial control security practitioners in regard to the security of their systems, threats and attack vectors, and defense measures.

The research shows that, predictably, the respondents’ highest priority is keeping their operational technology running. Answering the question “What are your primary business concerns when it comes to the security of your control systems?”, nearly a quarter put “Ensuring reliability and availability of control systems” first; among the top three priorities is this one for over 50% of respondents.

To measure the real scope of ICS security, the question “Have your control systems been infected or infiltrated in the past 12 months?” was included in the survey. The most common response, “Not that we know of,” was selected by 40%, while less than a half of that, 19%, chose “No, we’re sure we haven’t been infiltrated”.

"The SANS survey shows that ICS security experts seriously worry about security."

As for the overall security, the respondents answered the same key question as in the previous years: “How serious does your organization consider the current threats to control system cybersecurity to be?” 69% of respondents rated the perceived level of threat as severe/critical or high – a two percentage point increase compared to last year’s survey.

The biggest three threats cited by the respondents were “Devices and ‘things’ (that cannot protect themselves) added to networks”; “Internal threats (accidental)”; and “External threats (hacktivism, nation states)”. “Extortion, ransomware and other financially motivated crimes” came in fourth place, while “External threats via a supply chain or partnerships” was far behind at number eight (out of 10 options offered to the respondents).

As for the defense measures that the respondents currently have in use, anti-malware technologies emerged as the most relied-upon measure, followed by access control solutions. The top three wanted technologies or solutions were industrial intrusion detection, control system network security monitoring and security awareness training for staff, contractors and vendors.

For interpreting the survey’s results, it should be noted that the responses were collected in February-March of 2017 (as its editors told WeLiveSecurity). This means that the respondents’ attitudes were not influenced by the news about the discovery of Industroyer – arguably the most important recent news story that is related to ICS security, which appeared in the industry’s media in May.

“The SANS survey shows that ICS security experts worry seriously about security,” commented Robert Lipovský, Senior Malware Researcher at ESET. “It will be interesting to see if the discovery of Industroyer pushes these worries to an even higher level – future reports will show.”

Industroyer was first analyzed by ESET researchers who discovered its capability to disrupt industrial processes – in the case investigated, precisely targeting a particular energy transmission infrastructure.

As a highly configurable tool, Industroyer can be easily refitted to attack similar energy infrastructures and even re-purposed to attack industrial control systems in other industries such as transportation or manufacturing.

“It is a reminder to all those responsible for critical systems around the world, many of which were designed without security in mind. Now’s the time to take measures for securing them – and the SANS research shows that security experts are taking this issue seriously,” concludes Lipovský.