A recent study by Tripwire reveals that 86% of energy security professionals believe they can detect a breach in less than a week and 61% believe they can detect a critical system breach in less than 24 hours.  The problem with this high level of confidence is that other reports have indicated something quite different.

  • For one, it takes much longer to detect breach than 24 hours or 7 days.  In the 2015 Data Breach Investigations Report it was reported that two-thirds of targeted attacks generally took months to detect a breach.
  • Secondly, there is still a significant communication gap between CIOs and executives.  In a survey conducted by the Ponemon Institute it was found that 31% of IT security professionals never speak with senior company executives.

Granted, organization executives have begun taking a higher interest in their company’s security posture, but they are far from done with the measures they need to take, especially since information security isn’t a one time deal.  The recent OPM breach is just one of the examples that sheds light on the problems organizations are still having with data breach detection and security.

When it comes to industrial control systems, this level of confidence by executives doesn’t help to ensure organizations take additional steps to secure their environment.  This is concerning when a recent survey by the SANS Institute showed that 32% of respondents (who actively maintain, operate or provide consulting services to facilities operating industrial control systems) revealed that their control system assets or networks had been infiltrated or infected at some point.  Additionally, 44% of those surveyed admitted that they were unable to identify the source of the infiltration.  The SANS Institute survey also found that 34% of these organizations believed their systems had been breached more than twice in the last year; and 15% said they need more than a month to detect a breach.

Industrial control system executives must come to terms with the fact that security tools aren’t enough to ensure a proactive oversight of network vulnerabilities.  As Control Systems Cybersecurity Expert, Joseph M. Weiss, put it in one of his latest articles, “The understanding of actual ICS cyber incidents is critical to developing the technologies and training to identify and address ICS cyber incidents.”

If the confidence executives have in their ability to detect breach is due to a lack of communication within the organization or because of the trust they have in their security team is not as much an issue, as is the fact that studies continue to show the vulnerability these organizations encounter and that they don’t seem to be well-equipped to handle them.  Furthermore, it doesn’t help that organizations keep getting breached left and right.

Security issues can’t be allocated to IT alone; it is of concern to the entire organization.  The communication gap between security professionals and executives needs to be resolved, and the budget set aside to maintain a holistic security posture requires reevaluation.  Once leadership can come to terms with these realities, security improvements will surely come.
What steps are you taking to implement a proactive security posture and effective breach detection plan?

 

Photo courtesy of hxdyl