Thursday, November 21, 2013

The State of Risk-Based Security 2013

The State of Risk-Based Security Management is an in-depth study conducted by Ponemon Institute

Industrial control systems continue to draw scrutiny as the risks involved in preserving aging IT infrastructures continue to escalate. Mission-critical systems in everything from manufacturing facilities to public utilities have shown to be easily breached and highly vulnerable.

A new Ponemon Institute survey, however, found that security efforts in the sector are ramping up: 51% use formal risk assessments to identify security risks – which is higher than the broader enterprise average.

Also, the survey found a majority (86%) believe that minimizing noncompliance with laws and regulations helps meet certain business objectives – and that’s also 5% higher than the average.

Risk-based security is coming onto the radar screen too: 43% measure the reduction in unplanned system downtime to assess the effectiveness of cost-containment management efforts, differing from survey average of 38%. And about half (52%) listed the “flow of upstream communications” as one of the top three features most critical to the success of a risk-based security management approach – an 8% increase over the survey average of 46%.

Even so, this is not enough to protect ICS systems against determined attackers. For instance, only 56% listed an “openness to challenge assumptions” as one of the top three features most critical to the success of a risk-based security management approach – and this is 6% lower than the survey average of 62%.

Further, It is imperative for this sector to get a handle on system hardening and configuration management practices to improve security and reliability. But in this regard though, the industrial sector is less effective than other industries in deploying risk management controls and communicating effectively about security.

Only 40% have fully or partially deployed security configuration management, differing from the survey average of 49%, and 75% have fully or partially deployed system hardening, which is 5% lower than the survey average of 80%.

When it comes to organizational culture, security still has a long way to go to permeating the business.
Most ICS respondents (69%) said security communications are contained in only one department or line of business, differing from the survey average of 63%. And 67% said security communications occur at too low a level, differing from the survey average of 62% – indicating needed oversight from the C-level is generally lacking.
Even though industrial sector organizations are actively considering security risks, they must also improve their willingness to elevate key risks to the executive level. Security risks must be considered in context with overall business risk or the entire organization’s success will be in jeopardy.

No comments: