Control System Security Perceptions and Practices

Control Engineering cyber security bloggers puzzle over recent industrial control system security assessment survey results.


Read the industrial cyber security blog at
Read more on cyber security in these Control Engineering articles:
Applying security defense-in-depth, Dec. 2009
Cyber security: Vendors fight back, Nov. 2009
Cyber security for legacy systems, July 2009
Cyber security hits home, Jan. 2009
10 control system security threats, Apr. 2007

Nearly 200 responses were received to Control Engineering ’s Industrial Control Systems Cyber Security Assessment Survey that commenced in November 2009. While some trends from the responses were expected, others were quite surprising. This article will provide our analysis of the responses, starting with simple observations and concluding with analysis of less expected responses and trends.


The first surprise was that 24% indicated they do not believe there are any threats and risks associated with their information control system that could affect their business operations. This seems very puzzling since most organizations operate with the understanding that there is no such thing as 100% security. In an environment where industrial control systems are becoming more dependent upon increased connectivity, including the Internet and remote control capabilities, we expected nearly a 100% response acknowledging the presence of such risks. The most prevalent cyber security concerns expressed by nearly 20% of respondents acknowledging the presence of disconcerting risks were viruses and malicious software.


Another very surprising observation is only 53% indicated they are an “organization involved in an industry where you are compelled to implement specific information control system protections.” That leaves 47% that are not compelled to implement specific information control system protections. For the same reasons mentioned above regarding perceived risk, we expected a much higher number of responses indicating an urgency to implement specific information control system protections.




Answers provide a mixed bag, but some basic security concepts seem to be soaking in.
Answers provide a mixed bag, but some basic security concepts seem to be soaking in.

It was also surprising to see that only 50% indicate that their organization has an operating computer emergency response team to detect cyber security breach attempts and successful cyber security breaches. We find this odd in an environment where the number of cyber security threats facing industrial control systems is extremely high and has been growing dramatically in recent years. Another unexpected trend is 22% indicated they have never performed any type of vulnerability assessment. Encari recommends that organizations perform vulnerability assessments at least annually, which is reinforced by approximately 65% who indicated that they have conducted a vulnerability assessment within the past year. This has been accepted as a best practice since the cyber security threat landscape and infrastructure environments continuously change. In addition, the most prevalent industry change recently has been increased cyber capabilities and connectivity thereby necessitating such assessments. If sufficient in scope and effectively executed, they can yield strong insight into an organization’s industrial control systems cyber security posture.


Along this same line, we weren’t surprised to see that only 46% indicate that they have contracted the services of an external firm to conduct some form of a vulnerability assessment. The reality is that an organization’s internal assessment capabilities can rarely match the skills of cyber security consulting firms whose core competency is performing such assessments. When planned with an effective project scope, an assessment can be financially viable and provide profound insights into organizations’ cyber security postures. Well-performed assessments reduce overall operating costs similar to preventive medicine or Taguchi’s model of building quality (and security) in to the design. Organizations that maintain internal capabilities should consider contracting a consulting firm at least every two years, while organizations that do not have an internal capability should consider contracting a consulting firm annually.


Users seem divided as to the most important element of a security solution.  Some may be based on internal experiences and incidents.
Users seem divided as to the most important element of a security solution. Some may be based on internal experiences and incidents.

Protecting information

We were pleased to see that 75% indicate that their organization either has already implemented or is deploying an information protection program. While not specified in the responses, we have a high degree of confidence that a majority of the respondents are currently implementing information protection programs. Further, based upon what we have encountered in numerous organizations, we suspect that many of the information protection programs implemented are likely insufficient. This skepticism stems from the difficulty of implementing such programs for industrial control systems and general corporate information. Statistical evidence from the Privacy Rights Clearinghouse bears this out.


Organizations generate a plethora of information that exists in many forms, including digital, hard copies, and verbally. In order to establish an effective and sufficient information protection program, it must address and apply protective controls for all sensitive information usage scenarios. For example, how does the program protect sensitive information:


  • Sent via email;

  • Stored on USB thumb drives and technician laptop computers;

  • Faxed to a vendor;

  • Printed by a network printer;

  • Residing in a database; and

  • Communicated verbally?



Some answers show contradictions. Almost half the people who say they have no system inventory still claim a change control process.
Some answers show contradictions. Almost half the people who say they have no system inventory still claim a change control process.

How do you ensure that all information subject to the information protection program is labeled with its appropriate classification (e.g., “confidential,” or “secret”)? We have worked with many organizations that have established sufficiently comprehensive information protection programs but have struggled with implementation.


Security first steps

Given that we have encountered many organizations that have experienced challenges with maintaining an accurate and complete inventory of all information systems that reside and operate on control networks, we were surprised to see that 70% indicate the contrary. However, later in this article there are trends we noticed that may challenge the thought processes applied toward the responses.


It was interesting to see a somewhat uniform distribution of responses regarding the issues organizations would address first regarding the implementation of a control strategy (see pie chart graphic):


  • 27% access control;

  • 23% perimeter security (e.g., firewalls);

  • 16% security policies;

  • 14% information protection);

  • 13% facility (i.e., physical) security; and

  • 7% security awareness.

Since many cyber security incidents historically have resulted from human error, malicious and disgruntled employees, users with authorized cyber access, and lack of security awareness, we hoped to see a greater number of responses pertaining to security awareness. Unfortunately, it has been common to encounter organizations neglecting security awareness as a part within its overall industrial control systems security programs.


Other key results

Several other notable findings of the survey:


  • Of respondents indicating concerns regarding potential inappropriate information disclosure, 31% have not implemented an information protection program.

  • Of respondents indicating concern regarding potential exposure to viruses and malicious software, 29% are operating in the absence of a monitoring capability to detect security breach attempts and successful security breaches.

  • Of respondents indicating concerns regarding risk associated with cyber security threats, 48% are operating without a computer emergency response team, and 19% have never performed a vulnerability assessment.

  • Of respondents indicating they have an accurate and complete inventory of all information systems that reside and operate on their control networks, 30% are currently operating with no change control process that is able to prevent unauthorized and potentially vulnerable changes from taking place on their control system.

  • Of respondents indicating they have monitoring capability to detect security breach attempts and successful security breaches, 70% say they also have an emergency response team. Less than 5% have the emergency response team but no monitoring capability.



Responses are split on monitoring capability, but those that do tend to have the next logical stages in place as well.
Responses are split on monitoring capability, but those that do tend to have the next logical stages in place as well.

The various combinations of responses noted in these points indicate a lack of maturity of the responders’ industrial control system cyber security programs. This is an indication that these organizations are likely addressing cyber security concerns in isolation versus in the context of a holistic cyber security strategy. For example:


  • How can you effectively address concerns regarding potential virus and malicious software exposure without monitoring capability?

  • Why would you operate without a computer emergency response team, or why would you not perform a vulnerability assessment if you were concerned about risks associated with cyber security threats?

  • How can you claim to have an accurate and complete inventory of all information systems that reside and operate on control networks without a change control process?




Today’s reality is that we have a long way to go to understand and sufficiently protect our digital world to ensure continuing safety of the electronically controlled physical world. We are at a crossroads in time that requires us to push harder for resources to fix the problem and ensure that those resources are properly aligned with the most appropriate solutions. Every environment is different but the ultimate goal is the same: safe and reliable control of an efficient system. Now it is your goal individually, your company organically, and your industry collectively, to identify the appropriate path forward — a path that will continue our prosperity safely. We hope that our ongoing articles focusing on applying security defense-in-depth to industrial control systems will help achieve this ultimate goal.





Author Information
Consultants Matt Luallen and Steve Hamburg are co-founders of Encari and write the Industrial Cyber Security blog for Control Engineering.


The Top Plant program honors outstanding manufacturing facilities in North America. View the 2015 Top Plant.
The Product of the Year program recognizes products newly released in the manufacturing industries.
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
Doubling down on digital manufacturing; Data driving predictive maintenance; Electric motors and generators; Rewarding operational improvement
2017 Lubrication Guide; Software tools; Microgrids and energy strategies; Use robots effectively
Prescriptive maintenance; Hannover Messe 2017 recap; Reduce welding errors
The cloud, mobility, and remote operations; SCADA and contextual mobility; Custom UPS empowering a secure pipeline
Infrastructure for natural gas expansion; Artificial lift methods; Disruptive technology and fugitive gas emissions
Mobility as the means to offshore innovation; Preventing another Deepwater Horizon; ROVs as subsea robots; SCADA and the radio spectrum
Research team developing Tesla coil designs; Implementing wireless process sensing
Commissioning electrical systems; Designing emergency and standby generator systems; Paralleling switchgear generator systems
Natural gas engines; New applications for fuel cells; Large engines become more efficient; Extending boiler life

Annual Salary Survey

Before the calendar turned, 2016 already had the makings of a pivotal year for manufacturing, and for the world.

There were the big events for the year, including the United States as Partner Country at Hannover Messe in April and the 2016 International Manufacturing Technology Show in Chicago in September. There's also the matter of the U.S. presidential elections in November, which promise to shape policy in manufacturing for years to come.

But the year started with global economic turmoil, as a slowdown in Chinese manufacturing triggered a worldwide stock hiccup that sent values plummeting. The continued plunge in world oil prices has resulted in a slowdown in exploration and, by extension, the manufacture of exploration equipment.

Read more: 2015 Salary Survey

Maintenance and reliability tips and best practices from the maintenance and reliability coaches at Allied Reliability Group.
The One Voice for Manufacturing blog reports on federal public policy issues impacting the manufacturing sector. One Voice is a joint effort by the National Tooling and Machining...
The Society for Maintenance and Reliability Professionals an organization devoted...
Join this ongoing discussion of machine guarding topics, including solutions assessments, regulatory compliance, gap analysis...
IMS Research, recently acquired by IHS Inc., is a leading independent supplier of market research and consultancy to the global electronics industry.
Maintenance is not optional in manufacturing. It’s a profit center, driving productivity and uptime while reducing overall repair costs.
The Lachance on CMMS blog is about current maintenance topics. Blogger Paul Lachance is president and chief technology officer for Smartware Group.
The maintenance journey has been a long, slow trek for most manufacturers and has gone from preventive maintenance to predictive maintenance.
Featured articles highlight technologies that enable the Industrial Internet of Things, IIoT-related products and strategies to get data more easily to the user.
This digital report will explore several aspects of how IIoT will transform manufacturing in the coming years.
Maintenance Manager; California Oils Corp.
Associate, Electrical Engineering; Wood Harbinger
Control Systems Engineer; Robert Bosch Corp.
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
click me