Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

ARC's Bob Mick's Cyber Security Standards Presentation at ARC's 2008 Industry Forum


Published on

ARC's Bob Mick's Cyber Security Standards Presentation at ARC's 2008 Industry Forum in Orlando, FL.

Published in: Technology, News & Politics
  • Be the first to comment

  • Be the first to like this

ARC's Bob Mick's Cyber Security Standards Presentation at ARC's 2008 Industry Forum

  1. 1. Cyber Security Standards Today Bob Mick ARC Advisory Group VP Emerging Technologies Security is viewed as a cost by most organizations, making it a good candidate for standardization. Standardization can control costs, accelerate security programs to higher levels, and provide a framework for satisfying increasing regulation and compliance requirements.
  2. 2. 2 © ARC Advisory Group Agenda This Session: Security in Manufacturing National Institutes of Standards ISA SP-99 Panel with Q&A
  3. 3. 4 © ARC Advisory Group Clearly more secure Keeping pace with escalating threats Clearly Less Secure Do Not Know Other Is your company more secure than it was five years ago? 41.5 % 28.9 % 8.3 % 17.0 % 4.3 % The Industry Is Coming to Grips With Security But Security is a Never Ending Challenge  70% feel that our investments have done the job  But many feel that we are just keeping up  8% know that it is not enough  Too many do not know … highlighting a need for common metrics Costs Are Likely to Continue to Escalate Unless We Develop New Approaches and Innovative Solutions
  4. 4. 5 © ARC Advisory Group Growing Staying the Same Shrinking Do Not Know Other Over the past five years, has your security budget changed? 39.6 % 24.2 % 1.8 % 29.3 % 5.1 % Security Spending Continues to Grow Almost No Companies are Deciding to Reduce Spending  Average by company increase was 13% which is typical of end user increases  Suppliers and Systems Integrators reported the biggest increases (some 50-100%)  Caution: Numbers are not indicative of overall industry spend Spending Increases Vary Widely, Depending on the Maturity of Security Programs, Industry, …
  5. 5. 6 © ARC Advisory Group Please identify your level of concern over the following topics? Cyber Threats are Still the Biggest Worry But Internal Threats Will Need Increasing Attention  Internal threats are more of a concern than physical threats  Internal threats have the lowest “have it covered” and the biggest “do not know”  Most standards do not address internal threats explicitly We Need Additional Resources to Address Internal Threats Not a Diversion of Resources From Cyber Threats High Concern Some Concern Have it Covered Do Not Know Cyber Threats Physical Threats Internal Threats 41.4 % 21.6 % 29.5 % 40.2 % 56.8 % 51.1 % 16.1 % 20.5 % 12.5 % 2.3 % 1.1 % 6.8 % Note: Manufacturers Only
  6. 6. 7 © ARC Advisory Group Does your company have a training program for control system security? 21.4 % Yes No 78.6 % Once Once A Year Twice A Year More Often How often do your employees attend training? 40.8 % 35.4 % 9.2 % 14.6 % Awareness is Critical To Security Programs And One of the Biggest Challenges for End Users  Clearly we are not training enough  Indicative of the cost, effort and disruption of thorough training programs  Lack of training will limit the effectiveness of otherwise excellent security programs Industry Standards Reduce Complexity, Ease Training and Enhance Awareness
  7. 7. 8 © ARC Advisory Group What are you looking for in security standards? A Critical Question: What Do We Want in Standards?  Differences between survey respondent groups • Practices: End users, systems integrators and suppliers agree practices are #1 • Architecture and Metrics: End user ranking was slightly higher than other respondent groups • Technologies: Supplier rankings were slightly higher than other respondent groups “How-To” Standards Help Educate and Fight Complexity Extremely Important Very Important Somewhat Important Important Not Very Important Not Important At All Practices Architecture Technologies Metrics
  8. 8. 9 © ARC Advisory Group Given the changing nature of the information technology environment, do you believe that security standards can effectively ensure a secure manufacturing control system? 75.7 % 24.3 % Yes No The Industry Believes In Security Standards In Spite of the Difficulty and Time Required  End user confidence was consistent with overall industry opinion  Interesting Comments: • Standards can not cover everything • Security needs are now, standards take time • Security is a moving target • Does sharing best practices make systems more vulnerable? • Security requires maintenance • People are an essential element • Doing nothing is not an option Overall, This Reflects Very High Expectations
  9. 9. 11 © ARC Advisory Group Security Standardization Listen to the Standardization Experts …  Bryan Singer, SP-99 Co-chair (Wurldtech)  Keith Stouffer, NIST  Eric Cosman, SP-99 Co-Chair (Dow) •Will join us on the Q& Panel
  10. 10. 12 © ARC Advisory Group Thank You For more information, contact Bob Mick at