ICS SECURITY DACH PLOT THICKENS FOR CYBER SECURITY In 2015, the upper house of the German parliament, the Bundesrat, approved the IT-Sicherheitsgesetz or IT Security Law. This act mandated that more than 2,000 “Operators of Critical Infrastructure” should implement a raft of new information security standards and comply with notification obligations within a two year period or face severe penalties. Approaching the half way mark of 2017, that 24 month stay of execution is almost up. Is industry ready? Since the passage of the IT-Sicherheitsgesetz, companies that employ industrial control systems (ICS) as an integral part of their day-to-day functionality have had a long time to assess their capabilities and weaknesses. In the run up to our ICS Cyber Security DACH event in Germany, we spoke with leading ICS Security professionals from across the DACH region to learn just where they are in their cyber security journey. Some of the answers are rather disconcerting…. DEFENSIVE CAPABILITY HOW CONFIDENT ARE YOU THAT YOUR... current defence mechanisms can handle / defense mechanisms can handle/detect detect threats such as hacktivism, cyber state actors / APTs? (APT=Advanced crime, cyber espionage and cyber Persistent Threat) warfare? 21% 39% 37% Confident Somewhat confident Not confident 3% 11% Do not know Confident 31% 58% Somewhat confident 0% Not confident Do not know ANALYSIS Whilst 60% of companies are in some way confident that they will be able to deal with the classic cyber threats of hacktivism, cyber crime, cyber espionage and cyber warfare, almost the same percentage, 58%, are not confident at all that they can deal with state actors or APTs. As ICS systems have been targeted by state actors in the past, this is an alarming statistic. DEFENSIVE ARSENAL Are you using a firewall to segregate your network and are you confident that it is sufficient to protect you from all types of cyber attacks? 38% 49% 13% Yes, I have confidence that firewalling is sufficient I have other segregation methods in place No, I have not segregated my network What controls do you have in place to prevent malicious commands or data being sent to OT from your IT infrastructure? 60% 42% 38% 16% 2% Strong authentication of employees permitted to do this. Only permitted from dedicated selected workstations not used for other purposes. Only permitted from selected physically secured zones of the office environment. The Four-Eyes principle. Other Are you monitoring your network? 18% 56% 27% 9% 38% 11% No Yes, we have network IDS (IDS = Intrusion Detection System) Yes, we have host IDS Yes, we use honeypots Yes, we use a SIEM (SIEM = Security Information and Event Management) Don’t know How visible is what is going on your network to your organisation? We have a fully operational SOC (SOC = Security Operations Center) 32% We are using monitoring tools 30% Our system engineers have this as an additional task 14% I barely have visibility 13% I'm unsure 11% RESPONSE Does your organisation have an incident How fast do you think it is necessary to response plan (IRP) in place? be able to respond on a (cyber) security incident? 33% 27% No Yes 13% 27% 5% 89% 6% Yes and we do dry runs on a regular basis I am unsure Within minutes Within hours Within days ANALYSIS Although 1 in 3 companies do not have an incident response plan in place, almost 9 out of 10 professionals expect cyber attacks to be addressed within hours. The reality behind the figures does not add up. On a scale from 1-100, with 1 being abysmally and 100 being perfectly, how effectively is your organisation managing the relationship between IT and OT? 62 0 100 How ready do you think your organisation is for Industry 4.0? INDUSTRY 47% Ready 4.0 53% Not ready THE ICS CYBER SECURITY DACH CONFERENCE WILL BE TAKING PLACE FROM 5-6 SEPTEMBER 2017 IN GERMANY. TO RESERVE YOUR PLACE NOW, PLEASE CONTACT US ON: TELEPHONE: +44 (0) 20 7036 1300 EMAIL: ENQUIRE@IQPC.CO.UK WEB: HTTPS://ICSCYBERSECURITYDACH.IQPC.CO.UK/.
