Cyber Security Standards Today
Bob Mick
ARC Advisory Group
VP Emerging Technologies
bmick@arcweb.com
Security is viewed as...
2
© ARC Advisory Group
Agenda
This Session:
Security in Manufacturing
National Institutes of Standards
ISA SP-99
Panel wit...
4
© ARC Advisory Group
Clearly more secure
Keeping pace with escalating threats
Clearly Less Secure
Do Not Know
Other
Is y...
5
© ARC Advisory Group
Growing
Staying the Same
Shrinking
Do Not Know
Other
Over the past five years, has your security bu...
6
© ARC Advisory Group
Please identify your level of concern
over the following topics?
Cyber Threats are Still the Bigges...
7
© ARC Advisory Group
Does your company have a training
program for control system security?
21.4 %
Yes
No
78.6 %
Once
On...
8
© ARC Advisory Group
What are you looking for in security standards?
A Critical Question:
What Do We Want in Standards?
...
9
© ARC Advisory Group
Given the changing nature of the information
technology environment, do you believe that
security s...
11
© ARC Advisory Group
Security Standardization
Listen to the Standardization Experts …
 Bryan Singer, SP-99 Co-chair (W...
12
© ARC Advisory Group
Thank You
For more information, contact Bob Mick at
bmick@arcweb.com
Upcoming SlideShare
Loading in...5
×

ARC's Bob Mick's Cyber Security Standards Presentation at ARC's 2008 Industry Forum

62

Published on

ARC's Bob Mick's Cyber Security Standards Presentation at ARC's 2008 Industry Forum in Orlando, FL.

Published in: Technology, News & Politics
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
62
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
1
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

ARC's Bob Mick's Cyber Security Standards Presentation at ARC's 2008 Industry Forum

  1. 1. Cyber Security Standards Today Bob Mick ARC Advisory Group VP Emerging Technologies bmick@arcweb.com Security is viewed as a cost by most organizations, making it a good candidate for standardization. Standardization can control costs, accelerate security programs to higher levels, and provide a framework for satisfying increasing regulation and compliance requirements.
  2. 2. 2 © ARC Advisory Group Agenda This Session: Security in Manufacturing National Institutes of Standards ISA SP-99 Panel with Q&A
  3. 3. 4 © ARC Advisory Group Clearly more secure Keeping pace with escalating threats Clearly Less Secure Do Not Know Other Is your company more secure than it was five years ago? 41.5 % 28.9 % 8.3 % 17.0 % 4.3 % The Industry Is Coming to Grips With Security But Security is a Never Ending Challenge  70% feel that our investments have done the job  But many feel that we are just keeping up  8% know that it is not enough  Too many do not know … highlighting a need for common metrics Costs Are Likely to Continue to Escalate Unless We Develop New Approaches and Innovative Solutions
  4. 4. 5 © ARC Advisory Group Growing Staying the Same Shrinking Do Not Know Other Over the past five years, has your security budget changed? 39.6 % 24.2 % 1.8 % 29.3 % 5.1 % Security Spending Continues to Grow Almost No Companies are Deciding to Reduce Spending  Average by company increase was 13% which is typical of end user increases  Suppliers and Systems Integrators reported the biggest increases (some 50-100%)  Caution: Numbers are not indicative of overall industry spend Spending Increases Vary Widely, Depending on the Maturity of Security Programs, Industry, …
  5. 5. 6 © ARC Advisory Group Please identify your level of concern over the following topics? Cyber Threats are Still the Biggest Worry But Internal Threats Will Need Increasing Attention  Internal threats are more of a concern than physical threats  Internal threats have the lowest “have it covered” and the biggest “do not know”  Most standards do not address internal threats explicitly We Need Additional Resources to Address Internal Threats Not a Diversion of Resources From Cyber Threats High Concern Some Concern Have it Covered Do Not Know Cyber Threats Physical Threats Internal Threats 41.4 % 21.6 % 29.5 % 40.2 % 56.8 % 51.1 % 16.1 % 20.5 % 12.5 % 2.3 % 1.1 % 6.8 % Note: Manufacturers Only
  6. 6. 7 © ARC Advisory Group Does your company have a training program for control system security? 21.4 % Yes No 78.6 % Once Once A Year Twice A Year More Often How often do your employees attend training? 40.8 % 35.4 % 9.2 % 14.6 % Awareness is Critical To Security Programs And One of the Biggest Challenges for End Users  Clearly we are not training enough  Indicative of the cost, effort and disruption of thorough training programs  Lack of training will limit the effectiveness of otherwise excellent security programs Industry Standards Reduce Complexity, Ease Training and Enhance Awareness
  7. 7. 8 © ARC Advisory Group What are you looking for in security standards? A Critical Question: What Do We Want in Standards?  Differences between survey respondent groups • Practices: End users, systems integrators and suppliers agree practices are #1 • Architecture and Metrics: End user ranking was slightly higher than other respondent groups • Technologies: Supplier rankings were slightly higher than other respondent groups “How-To” Standards Help Educate and Fight Complexity Extremely Important Very Important Somewhat Important Important Not Very Important Not Important At All Practices Architecture Technologies Metrics
  8. 8. 9 © ARC Advisory Group Given the changing nature of the information technology environment, do you believe that security standards can effectively ensure a secure manufacturing control system? 75.7 % 24.3 % Yes No The Industry Believes In Security Standards In Spite of the Difficulty and Time Required  End user confidence was consistent with overall industry opinion  Interesting Comments: • Standards can not cover everything • Security needs are now, standards take time • Security is a moving target • Does sharing best practices make systems more vulnerable? • Security requires maintenance • People are an essential element • Doing nothing is not an option Overall, This Reflects Very High Expectations
  9. 9. 11 © ARC Advisory Group Security Standardization Listen to the Standardization Experts …  Bryan Singer, SP-99 Co-chair (Wurldtech)  Keith Stouffer, NIST  Eric Cosman, SP-99 Co-Chair (Dow) •Will join us on the Q& Panel
  10. 10. 12 © ARC Advisory Group Thank You For more information, contact Bob Mick at bmick@arcweb.com
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×