“Imagine what a jury would say during a corporate liability trial when presented with evidence that the plant was still running Windows 2000 or XP?”
CyberX 2019 Global ICS & IIoT Risk Report
We’re pleased to announce that CyberX released our 2ndannual report on the current state of ICS and IIoT security last week. The launch occurred on the first day of SecurityWeek’s ICS Cyber Security Conference in Atlanta.
This year’s “Global ICS & IIoT Risk Report” is based on traffic captured over the past 12 months from more than 850 production ICS/SCADA networks — across 6 continents and all industrial sectors including energy & utilities, manufacturing, pharmaceuticals, chemicals, and oil & gas.
Unlike questionnaire-based surveys, CyberX’s report is based on analyzing real-world ICS network traffic — making it a more accurate representation of the current state of ICS security.
“It’s a golden age to be an attacker against critical infrastructure. If you are in critical infrastructure you should plan to be targeted. And if you are targeted, you will be compromised. It’s that simple.”
Andy Bochman, Senior Grid Strategist for National & Homeland Security
at the Idaho National Laboratory (INL)
One of the interesting stats is that more than half of all industrial sites are still running older versions of Windows— and nearly 7 out of 10 still have plain-text passwordstraversing their networks.
Other data points also show that ICS networks continue to be soft targets for adversaries. Other key gaps include direct OT connections to the internet (40%)— so much for the mythical air-gap — and anti-virus protections that aren’t automatically updated (57%).
Imagine a corporate liability lawsuit following a major safety or environmental incident involving a cyber incident at one of these vulnerable plants. I’m guessing the plaintiffs would have a fairly easy time convincing a judge or jury that the firm wasn’t meeting minimum standards of due care — and should therefore be deemed negligent.
But that doesn’t mean nothing can be done. Ruthless risk-based prioritization is key. The report describes eight steps for protecting your organization’s most essential assets with proactive controls such as continuous ICS monitoring, threat modeling, and segmentation.
“The risk to OT networks is real — and it’s dangerous and perhaps even negligent for business leaders to ignore it.”
Michael Assante, ICS/SCADA Lead, SANS Institute