Control System Security Perceptions and Practices

Control Engineering cyber security bloggers puzzle over recent industrial control system security assessment survey results.



Read the industrial cyber security blog at

Read more on cyber security in these Control Engineering articles:

Applying security defense-in-depth, Dec. 2009

Cyber security: Vendors fight back, Nov. 2009

Cyber security for legacy systems, July 2009

Cyber security hits home, Jan. 2009

10 control system security threats, Apr. 2007

Nearly 200 responses were received to Control Engineering ’s Industrial Control Systems Cyber Security Assessment Survey that commenced in November 2009. While some trends from the responses were expected, others were quite surprising. This article will provide our analysis of the responses, starting with simple observations and concluding with analysis of less expected responses and trends.


The first surprise was that 24% indicated they do not believe there are any threats and risks associated with their information control system that could affect their business operations. This seems very puzzling since most organizations operate with the understanding that there is no such thing as 100% security. In an environment where industrial control systems are becoming more dependent upon increased connectivity, including the Internet and remote control capabilities, we expected nearly a 100% response acknowledging the presence of such risks. The most prevalent cyber security concerns expressed by nearly 20% of respondents acknowledging the presence of disconcerting risks were viruses and malicious software.


Another very surprising observation is only 53% indicated they are an “organization involved in an industry where you are compelled to implement specific information control system protections.” That leaves 47% that are not compelled to implement specific information control system protections. For the same reasons mentioned above regarding perceived risk, we expected a much higher number of responses indicating an urgency to implement specific information control system protections.




Answers provide a mixed bag, but some basic security concepts seem to be soaking in.

Answers provide a mixed bag, but some basic security concepts seem to be soaking in.

It was also surprising to see that only 50% indicate that their organization has an operating computer emergency response team to detect cyber security breach attempts and successful cyber security breaches. We find this odd in an environment where the number of cyber security threats facing industrial control systems is extremely high and has been growing dramatically in recent years. Another unexpected trend is 22% indicated they have never performed any type of vulnerability assessment. Encari recommends that organizations perform vulnerability assessments at least annually, which is reinforced by approximately 65% who indicated that they have conducted a vulnerability assessment within the past year. This has been accepted as a best practice since the cyber security threat landscape and infrastructure environments continuously change. In addition, the most prevalent industry change recently has been increased cyber capabilities and connectivity thereby necessitating such assessments. If sufficient in scope and effectively executed, they can yield strong insight into an organization’s industrial control systems cyber security posture.


Along this same line, we weren’t surprised to see that only 46% indicate that they have contracted the services of an external firm to conduct some form of a vulnerability assessment. The reality is that an organization’s internal assessment capabilities can rarely match the skills of cyber security consulting firms whose core competency is performing such assessments. When planned with an effective project scope, an assessment can be financially viable and provide profound insights into organizations’ cyber security postures. Well-performed assessments reduce overall operating costs similar to preventive medicine or Taguchi’s model of building quality (and security) in to the design. Organizations that maintain internal capabilities should consider contracting a consulting firm at least every two years, while organizations that do not have an internal capability should consider contracting a consulting firm annually.


Users seem divided as to the most important element of a security solution.  Some may be based on internal experiences and incidents.

Users seem divided as to the most important element of a security solution. Some may be based on internal experiences and incidents.

Protecting information

We were pleased to see that 75% indicate that their organization either has already implemented or is deploying an information protection program. While not specified in the responses, we have a high degree of confidence that a majority of the respondents are currently implementing information protection programs. Further, based upon what we have encountered in numerous organizations, we suspect that many of the information protection programs implemented are likely insufficient. This skepticism stems from the difficulty of implementing such programs for industrial control systems and general corporate information. Statistical evidence from the Privacy Rights Clearinghouse bears this out.


Organizations generate a plethora of information that exists in many forms, including digital, hard copies, and verbally. In order to establish an effective and sufficient information protection program, it must address and apply protective controls for all sensitive information usage scenarios. For example, how does the program protect sensitive information:


  • Sent via email;

  • Stored on USB thumb drives and technician laptop computers;

  • Faxed to a vendor;

  • Printed by a network printer;

  • Residing in a database; and

  • Communicated verbally?



Some answers show contradictions. Almost half the people who say they have no system inventory still claim a change control process.

Some answers show contradictions. Almost half the people who say they have no system inventory still claim a change control process.

How do you ensure that all information subject to the information protection program is labeled with its appropriate classification (e.g., “confidential,” or “secret”)? We have worked with many organizations that have established sufficiently comprehensive information protection programs but have struggled with implementation.


Security first steps

Given that we have encountered many organizations that have experienced challenges with maintaining an accurate and complete inventory of all information systems that reside and operate on control networks, we were surprised to see that 70% indicate the contrary. However, later in this article there are trends we noticed that may challenge the thought processes applied toward the responses.


It was interesting to see a somewhat uniform distribution of responses regarding the issues organizations would address first regarding the implementation of a control strategy (see pie chart graphic):


  • 27% access control;

  • 23% perimeter security (e.g., firewalls);

  • 16% security policies;

  • 14% information protection);

  • 13% facility (i.e., physical) security; and

  • 7% security awareness.

Since many cyber security incidents historically have resulted from human error, malicious and disgruntled employees, users with authorized cyber access, and lack of security awareness, we hoped to see a greater number of responses pertaining to security awareness. Unfortunately, it has been common to encounter organizations neglecting security awareness as a part within its overall industrial control systems security programs.


Other key results

Several other notable findings of the survey:


  • Of respondents indicating concerns regarding potential inappropriate information disclosure, 31% have not implemented an information protection program.

  • Of respondents indicating concern regarding potential exposure to viruses and malicious software, 29% are operating in the absence of a monitoring capability to detect security breach attempts and successful security breaches.

  • Of respondents indicating concerns regarding risk associated with cyber security threats, 48% are operating without a computer emergency response team, and 19% have never performed a vulnerability assessment.

  • Of respondents indicating they have an accurate and complete inventory of all information systems that reside and operate on their control networks, 30% are currently operating with no change control process that is able to prevent unauthorized and potentially vulnerable changes from taking place on their control system.

  • Of respondents indicating they have monitoring capability to detect security breach attempts and successful security breaches, 70% say they also have an emergency response team. Less than 5% have the emergency response team but no monitoring capability.



Responses are split on monitoring capability, but those that do tend to have the next logical stages in place as well.

Responses are split on monitoring capability, but those that do tend to have the next logical stages in place as well.

The various combinations of responses noted in these points indicate a lack of maturity of the responders’ industrial control system cyber security programs. This is an indication that these organizations are likely addressing cyber security concerns in isolation versus in the context of a holistic cyber security strategy. For example:


  • How can you effectively address concerns regarding potential virus and malicious software exposure without monitoring capability?

  • Why would you operate without a computer emergency response team, or why would you not perform a vulnerability assessment if you were concerned about risks associated with cyber security threats?

  • How can you claim to have an accurate and complete inventory of all information systems that reside and operate on control networks without a change control process?




Today’s reality is that we have a long way to go to understand and sufficiently protect our digital world to ensure continuing safety of the electronically controlled physical world. We are at a crossroads in time that requires us to push harder for resources to fix the problem and ensure that those resources are properly aligned with the most appropriate solutions. Every environment is different but the ultimate goal is the same: safe and reliable control of an efficient system. Now it is your goal individually, your company organically, and your industry collectively, to identify the appropriate path forward — a path that will continue our prosperity safely. We hope that our ongoing articles focusing on applying security defense-in-depth to industrial control systems will help achieve this ultimate goal.





Author Information

Consultants Matt Luallen and Steve Hamburg are co-founders of Encari and write the Industrial Cyber Security blog for Control Engineering.


No comments
The Top Plant program honors outstanding manufacturing facilities in North America. View the 2013 Top Plant.
The Product of the Year program recognizes products newly released in the manufacturing industries.
The Engineering Leaders Under 40 program identifies and gives recognition to young engineers who...
The true cost of lubrication: Three keys to consider when evaluating oils; Plant Engineering Lubrication Guide; 11 ways to protect bearing assets; Is lubrication part of your KPIs?
Contract maintenance: 5 ways to keep things humming while keeping an eye on costs; Pneumatic systems; Energy monitoring; The sixth 'S' is safety
Transport your data: Supply chain information critical to operational excellence; High-voltage faults; Portable cooling; Safety automation isn't automatic
Case Study Database

Case Study Database

Get more exposure for your case study by uploading it to the Plant Engineering case study database, where end-users can identify relevant solutions and explore what the experts are doing to effectively implement a variety of technology and productivity related projects.

These case studies provide examples of how knowledgeable solution providers have used technology, processes and people to create effective and successful implementations in real-world situations. Case studies can be completed by filling out a simple online form where you can outline the project title, abstract, and full story in 1500 words or less; upload photos, videos and a logo.

Click here to visit the Case Study Database and upload your case study.

Maintaining low data center PUE; Using eco mode in UPS systems; Commissioning electrical and power systems; Exploring dc power distribution alternatives
Synchronizing industrial Ethernet networks; Selecting protocol conversion gateways; Integrating HMIs with PLCs and PACs
Why manufacturers need to see energy in a different light: Current approaches to energy management yield quick savings, but leave plant managers searching for ways of improving on those early gains.

Annual Salary Survey

Participate in the 2013 Salary Survey

In a year when manufacturing continued to lead the economic rebound, it makes sense that plant manager bonuses rebounded. Plant Engineering’s annual Salary Survey shows both wages and bonuses rose in 2012 after a retreat the year before.

Average salary across all job titles for plant floor management rose 3.5% to $95,446, and bonus compensation jumped to $15,162, a 4.2% increase from the 2010 level and double the 2011 total, which showed a sharp drop in bonus.

2012 Salary Survey Analysis

2012 Salary Survey Results

Maintenance and reliability tips and best practices from the maintenance and reliability coaches at Allied Reliability Group.
The One Voice for Manufacturing blog reports on federal public policy issues impacting the manufacturing sector. One Voice is a joint effort by the National Tooling and Machining...
The Society for Maintenance and Reliability Professionals an organization devoted...
Join this ongoing discussion of machine guarding topics, including solutions assessments, regulatory compliance, gap analysis...
IMS Research, recently acquired by IHS Inc., is a leading independent supplier of market research and consultancy to the global electronics industry.
Maintenance is not optional in manufacturing. It’s a profit center, driving productivity and uptime while reducing overall repair costs.
The Lachance on CMMS blog is about current maintenance topics. Blogger Paul Lachance is president and chief technology officer for Smartware Group.