Industrial Control Systems Library: Survey 2017

Industrial Control Systems Library:

We annually gather and analyze raw data from hundreds of IT and industrial control systems (ICS) security practitioners across a variety of industries, people whose work places them in positions of responsibility to identify risks and safeguard control systems and networks from malicious and accidental actions. It is our mission to turn these inputs into actionable intelligence that can be used to support new developments and address ongoing trends in the field, to inform the crucial business decisions that determine allocation of resources, prioritization of protective measures on critical assets and systems, and planning of new initiatives.

The importance of this information grows with each iteration of this report because reliance on control systems continues to expand across not only industrial settings, but also the operation and maintenance of our cities, our buildings and all kinds of modern smart applications. The convergence of IT and operational technology (OT) has now come into popular awareness as the lines between the Internet of Things (IoT) and the Industrial Internet of Things (IIoT) have blurred and the media have given increased coverage to security breaches and their impacts.

ICS systems control and monitor industrial and infrastructure processes that produce products and deliver services and are referred to in various settings as supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), process control systems (PCS), process control domains (PCN), programmable logic controller and programmable automation controller systems (PLC/PAC), and building automation and control systems (BACS). Related terms include IIoT, the Industrial Internet, Industry 4.0 and the Connected Enterprise.

ICS and OT are used interchangeably in this paper because ICS is the enabler for operational technology systems used in industrial applications. OT is used primarily to distinguish cyber-physical systems that produce and deliver products and services, in contrast to IT systems that serve and support data-driven business operations.

With greater awareness comes greater attention. ICS security budgets, despite the fact that many businesses face ongoing budgetary challenges, are largely stable or growing, for respondents who are privy to such information. Recognition that even dedicated, special-purpose ICS components, such as intelligent embedded devices and programmable devices that are used for command and control, can carry vulnerabilities exploitable by malefactors is increasing among ICS security practitioners and the broader security community, as is concern about ransomware, which has started to invade the corners of almost any digital system. Awareness has led some corporate leaders and IT to be proactive and take action, such as providing new and expanded investments to offset related risks and better ensure safe, reliable and available operations. This report discusses these trends and other changes across companies that make active use of ICS as a core enabler for business imperatives and provides actionable advice for today's security practitioners.