The document presents a survey webcast discussing the current state of security in industrial control systems, highlighting top threat vectors and security initiatives. It reveals that external threats and lack of visibility are significant challenges for organizations, and many do not have a comprehensive security strategy. Additionally, it touches on cybersecurity budgets, recent breaches, and the importance of continuous network monitoring to enhance security.

1. The State of Security in
Control Systems Today:
A SANS Survey Webcast
Sponsored by SurfWatch Labs and
Tenable Network Security
© 2015 The SANS™ Institute – www.sans.org

2. © 2015 The SANS™ Institute – www.sans.org
Today’s Speakers
Derek Harp, SANS Director, ICS/SCADA
Security
Adam Meyer, Chief Security Analyst,
SurfWatch Labs
Ted Gary, Product Marketing Manager,
Tenable Network Security
2

3. © 2015 The SANS™ Institute – www.sans.org
Industries Represented
3
29.3%
20.7%
13.1%
5.1%
5.1%
4.8%
3.5%
3.2%
2.5%
2.5%
2.5%
1.9%
1.9%
1.6%
1.3% 0.6%
0.3%
Industries
Energy/Utilities
Other
Business services
Engineering services
Oil and gas production/Delivery
Control system equipment manufacturer
Control systems services
High tech production
Chemical production
Health care/Hospital
Water production and distribution
Transportation
Other manufacturing
Pharmaceutical production
Food production/Food service
Mining
Wastewater

4. © 2015 The SANS™ Institute – www.sans.org
Top Threat Vectors to ICS Security
4
42.1%
19.4%
10.6%
0 0.05 0.1 0.15 0.2 0.25 0.3 0.35 0.4 0.45
External threats (hacktivism, nation states)
Integration of IT into control system networks
Internal threat
Top Three Threat Vectors

5. © 2015 The SANS™ Institute – www.sans.org
Lack of Visibility into ICS Networks
5
48.8%
32.3%
12.2%
4.9% 1.8%
Have your control system cyber assets and/or control system network ever
been infected or infiltrated?
Not that we know of
Yes
No, we’re sure we haven’t been
infiltrated
We’ve had suspicions but were never
able to prove it
We don’t know and have no
suspicions

6. © 2015 The SANS™ Institute – www.sans.org
Technology Convergence Strategy
6
17.5%
35.6%
29.4%
17.5%
Does your company have a security strategy to address the convergence of
information and operational technologies?
We have no strategy and no plans to
develop one.
We have no strategy but are
developing one.
We have a strategy and are
implementing it.
We have a strategy in place.

7. © 2015 The SANS™ Institute – www.sans.org
Recent Breaches
7
0% 5% 10% 15% 20% 25% 30% 35% 40% 45%
1 to 2
3 to 5
6 to 10
11 to 25
26 +
Unknown/Unable to answer
Known Breaches in Past 12 Months
2015
2014

8. © 2015 The SANS™ Institute – www.sans.org
Cybersecurity Threat Level
8
0% 10% 20% 30% 40% 50%
Severe
High
Moderate
Low
How high is the current cybersecurity threat to control systems?
Decision Influencers Perception of
Current Threat
Decision Makers Perception of
Current Threat

9. © 2015 The SANS™ Institute – www.sans.org
Top Security Initiatives
9
17.2%
15.5%
13.3%
9.9%
9.0%
8.2%
6.4%
6.0%
6.0%
3.4%
2.6%
0% 2% 4% 6% 8% 10% 12% 14% 16% 18% 20%
Perform security assessment/audit
Increased security awareness training
Increased physical security
Increased security staffing
Implement intrusion detection tool
Implement intrusion prevention tools
Increased security training
Implement anomaly detection tools
Increased security consulting services
Increased background security checks
Greater mobile devices/wireless communications controls
Top Three Control System Security Initiatives

10. © 2015 The SANS™ Institute – www.sans.org
Highest Risk Components
10
0%
10%
20%
30%
40%
50%
60%
70%
80%
Networkdevices(firewall,switches,
routers,gateways)
Computerassets(HMI,server,
workstations)runningcommercial
operatingsystems(Windows,UNIX,
Linux)
Connectionstootherinternal
systems(officenetworks)
Controlsystemapplications
Physicalaccesssystems
ConnectionstothefieldSCADA
network
Controlsystemcommunication
protocolsused(Modbus,DNP3,
Profinet,Profibus,Fieldbus,TCP/IP)
Wirelesscommunicationdevices
andprotocolsusedinthe
automationsystem
Planthistorian
Embeddedcontrollersandother
componentssuchasPLCs
(programmablelogiccontrollers)and
IEDs(intelligentelectronicdevices)
OLEforprocesscontrol(OPC)
Other
Of the following system components, select those that you are collecting
and correlating log data from.

11. © 2015 The SANS™ Institute – www.sans.org
Highest Risk Components
11
0% 10% 20% 30% 40% 50%
Other
OLE for process control (OPC)
Plant historian
Physical access systems
Connections to the field SCADA network
Control system applications
Wireless communication devices and protocols used in the
automation system
Control system communication protocols used (Modbus,
DNP3, Profinet, Profibus, Fieldbus, TCP/IP)
Embedded controllers and other components such as PLCs
(programmable logic controllers) and IEDs (intelligent…
Network devices (firewall, switches, routers, gateways)
Connections to other internal systems (office networks)
Computer assets (HMI, server, workstations) running
commercial operating systems (Windows, UNIX, Linux)
Which control system components do you consider at greatest risk for compromise? Rank the top
three, with “1” indicating the component at greatest risk.
1 2 3

12. © 2015 The SANS™ Institute – www.sans.org
ICS Security Certification
12
0%
10%
20%
30%
40%
50%
60%
Other
GIACIndustrialCyber
SecurityCertification
(GICSP)
ISA99/IEC62443
Cybersecurity
Fundamentals
SpecialistCertificate
IACRB’sCertified
SCADASecurity
Architect(CSSA)
Do you hold any certifications relevant to control systems security? Select
all that apply.

13. © 2015 The SANS™ Institute – www.sans.org
Incident Response
13
0%
10%
20%
30%
40%
50%
Internalresources
Government
organizations(e.g.,
NERC,FERC,ICSCERT,
lawenforcement)
Controlsystemvendor
Securityconsultant
Cybersecuritysolution
provider
ITconsultant
Peers(e.g.,SCADA
operators)
SCADAsystemintegrator
Engineeringconsultant
Other
Whom do you consult in case of signs of an infection or infiltration of your
control system cyber assets or network? Select all that apply.

14. © 2015 The SANS™ Institute – www.sans.org
Security Budget Size
14
0%
1%
2%
3%
4%
5%
6%
7%
8%
9%
10%
None
Lessthan$19,999
$20,000–$49,999
$50,000–$99,999
$100,000–$499,999
$500,000–$999,999
$1million–$2.49million
$2.5million–$9.99million
Greaterthan$10million
What is your organization’s total control system security
budget for 2015?

15. © 2015 The SANS™ Institute – www.sans.org
Security Budget Ownership
15
19.4%
23.9%
45.0%
6.1%
5.6%
Who controls the control systems security budget for your company?
Information technology (IT)
Operations
Both IT and operations
Unknown
Other

16. Adam Meyer
Chief Security Strategist

17. Take a Data Driven Approach to
Mitigating Your Cyber Risk
17

18. 18
Take a Data Driven Approach to
Mitigating Your Cyber Risk

19. 19
A Look at Cybercrime
Across the Board

20. 20
Cyber Risks Facing
Industrials Sector

21. 21
Cyber Risks Facing
Energy Sector

22. 22
Cyber Risks Facing
Utilities Sector

23. Conclusion
23
• The Top Targets: Your IT user base and web environment
• The Top Practices: Network intrusion and access control
– Inadequate patching of vulnerabilities gives “bad guys” a way in
– Insecure system configurations allow freedom of movement
• The Top Effects: Stolen or leaked data - especially
personal and financial information
– The commodity appears to be data exfiltration

24. Thank You!
www.surfwatchlabs.com

25. Continuous Network Monitoring for Effective
Control Systems Cybersecurity
SANS ICS Survey Webcast, June 25, 2015

26. Tenable provides Continuous Network
Monitoring™ to identify vulnerabilities,
reduce risk and ensure compliance.

27. Our family of products includes
SecurityCenter Continuous View™
and Nessus®

28. Gain Visibility into ICS Networks
Map all devices, physical interconnections, logical
data channels, and implemented ICS protocols
among devices.

30. Know What Is Normal
• Lack of visibility is one of the greatest
barriers to securing resources
• Without awareness of normal
communications and activity, it’s impossible
to properly evaluate or improve security of
assets
• Operations and security staff must be able
to visualize and verify normal network
operations

32. Learn More / Next Steps
• tenable.com/industries/energy
• tenable.com/whitepapers/scada-network-
security-monitoring-protecting-critical-
infrastructure
• tenable.com/whitepapers/definitive-guide-to-
continuous-network-monitoring
• tenable.com/blog
• tenable.com/evaluate

33. Thank you!
tenable.com

35. © 2015 The SANS™ Institute – www.sans.org
Q & A
Please use GoToWebinar’s
Questions tool to submit
questions to our panel.
Send to “Organizers”
and tell us if it’s for
a specific panelist.
35

36. © 2015 The SANS™ Institute – www.sans.org
Acknowledgements
Thanks to our sponsors:
SurfWatch Labs
Tenable Network Security
To our special guests:
Adam Meyer
Ted Gary
And to our attendees,
Thank you for joining us today!
36