By Gregory Hale
Almost 40 percent of people surveyed have suffered between 2 to 5 cyber security incidents in their facility, according to a new survey from the Security Incidents Organization (SIO).
These are the excerpted results in the first of what will be an annual RISI (Repository of Industrial Security Incidents) End-User Control System Security Survey. ISSSource will report on more of the survey next week.
While multiple industries ended up surveyed, the majority of the industries responding were chemical with 21.6%; petroleum 19.6%; power and utilities at 17.6%, and water/waste water at 7.8%.
Security is everyone’s business and that means everyone has to be aware. When asked if respondents were aware of any control system security incidents in their facility, 48 percent said yes, 42 percent said no and 10 percent were not sure.
While individual companies may not release information on cyber incidents in their plants, respondents seemed aware of what was really going on.
Of the people that responded in the affirmative on knowing they were attacked, when asked how many control system cyber security incidents respondents were aware of in their facility, no one said zero. The majority of respondents (73.9 percent) said there were between 2 to 5 incidents, while 4.3 percent was big percentage with 1 incident, 6 to 10 incidents and 11-20 incidents all chiming in at the same level.
What is interesting is 13 percent said there were more that 20 incidents at their facility. Keep in mind, a cyber incident can range from a small accidental trip to a major hack attack.
You have to start somewhere and companies seem to be starting up the awareness cycle.
A majority of companies (54.8 percent) said they conducted control system security training and awareness programs.
Also, 52.4 percent said they developed and communicated a company policy for control system security.
In addition, 81 percent implemented network segmentation, which is the separation between business and control system network.
And surprisingly in this day and age of cyber awareness, 14.3 percent said their company took no security awareness actions at all.
SIO will soon be releasing the RISI Annual Report which will include in-depth analysis of all security incidents in the database, details of incidents reported in 2012, and details of the end user survey results.