ABOUT THIS EPISODE
ICS-CERT and many others put out primarily statistics that are misleading or of little value, most often because the data source is not described or addressed correctly. The CyberX report is interesting because they are pulling hard data from 375 different ICS networks and some of the statistics were not what I expected. In this episode I talk with Phil Neray of CyberX about their Global ICS & IIoT Risk Report.
We start on the data. Who provided the data, how they collected the data, and how they brought the data back to CyberX for analysis. The data comes from OT networks, not from corporate networks from companies with ICS, which is where many other stats fall short.
Then we dive into some of the statistics including:
- 1/3rd of the OT networks had an Internet connection. This is an actual TCP connection from a computer or device in the control room or elsewhere in the ICS to a computer or device on the Internet. This was a surprise to me. I assumed that asset owners considering a product in the ICS Detection category would be further along in their ICS security maturity. Evidently not. For some, this is there beginning to look at the issue.
- The 50% of the sites not running anti-virus number is flawed. It is actually 50% of the sites were not sending anti-virus signature updates over the network in a 24-hour period. The 10% having active malware was accurate, and again points to many of the participants just beginning their ICS security program.
- We also talk about the remote management statistic (which I'd expect to be 100% based on the CyberX definition), obsolete OS, incomplete inventory, wireless use and more.
Throughout the discussion we talk about ways the statistics could be improved for future updates of the report. I'd welcome your suggestions and will pass them along to Phil.