ARC Logo

Industrial Cyber Security Technologies & Processes
RequiredRequired Question(s)

Ensuring the cyber security of our industrial infrastructure is a critical concern, yet many plants and facilities remain at risk.  Organizations like NIST, ISA, ISO/IEC, NERC and COBIT have developed excellent guidelines for what needs to be done to protect industrial control systems (ICS), but many organizations are still reluctant to act until they understand what peers are doing.    

ARC is conducting this survey to help companies overcome this troubling situation.  It assesses the actual use of cyber security technologies and practices in the industrial sector and identifies the major factors driving/inhibiting investments.  

This is an important issue for everyone and we are asking for your support by completing this survey.  As an additional incentive, everyone who completes the survey will receive a summary report that they can use to benchmark their own program and focus their efforts.   

Privacy Concerns: Individual responses will be considered confidential and only aggregate information will be used in any reports.

If you have questions about the survey, please contact:

Sid Snitkin at srsnitkin@arcweb.com

 

Roles & Responsibilities

 
1.

How does your organization allocate responsibility for the following ICS cyber security activities across central and local groups? 
* Central means corporate, regional, or business unit groups responsible for multiple facilities or plants
* Local means individuals responsible for a specific facility or plant 
* Please use comments to elaborate and describe "Others" 

 Mostly Central Equal Responsibility Mostly Local Other Don't Know 
Policy Development & Governance
Process Development
Technology Selection
Technology Implementation
Incident Management
Configuration and Patch Management
Training
Security Assessment and Auditing
Compliance Reporting
Cyber Risk Assessment and Management
  • Comment:

  • 500 characters left.
2.
Who is responsible for the cyber security of your industrial control system equipment, applications, and interfaces. 
* IT represents the group that supports your enterprise IT hardware and software. 
* ICS represents the group responsible for the control system equipment itself.
* Please use comments to elaborate and describe "Others" 
 Mostly IT Equal Responsibility Mostly ICS Others Don't Know Not Applicable 
Control system controllers (DCS, PLC, PAC, RTU, etc.)
Control system PCs (HMIs, workstations, etc.)
Control system servers (Historians, advanced control, etc.)
Embedded control systems (e.g. robots, packaging systems, etc.)
Supervisory Control and Manufacturing IT
Interfaces to Enterprise IT solutions - ERP, SCM, etc.
Interfaces to Engineering IT Solutions - PLM, etc.
  • Comment:

  • 500 characters left.
3.
Who is responsible for the cyber security of your industrial networks?
* IT rep
resents the group that supports your enterprise IT hardware and software. 
* ICS represents the group responsible for the control system equipment itself.
* Please use comments to elaborate and describe "Others" 
 Mostly IT Equal Responsibility Mostly ICS Others Don't Know Not Applicable 
Internal Plant Networks - wired
Internal Plant Networks - wireless
Remote Access Interfaces to Internal Plant Networks
External ICS SCADA Networks - Using Privately Managed Means
External ICS SCADA Networks - Using Public Networks
  • Comment:

  • 500 characters left.
4.

Which of the following best describes the extent of involvement that external parties have in your ICS cyber security activities and how this will likely change over the next 3 years.   
*Please use comments to elaborate on the kinds of services and suppliers that you use or plan to use

 Extensive, no change Extensive, decrease Moderate, increase Moderate, no change Moderate, decrease Minimal, increase Minimal, no change Don't Know 
System Vulnerability Assessment & Auditing
Management of Security Patches and Updates
Management of Security Product Configurations and Profiles
System Event and Alert Monitoring & Forensics
Cyber Incident Management & Recovery
Employee Security Training & Testing
  • Comment:

  • 500 characters left.

 Processes, Practices, and Procedures

 
5.

How would you rate your company's business processes and policies with respect to what you think is necessary for "good" ICS cyber security? 
*Please use comments to elaborate.

 Good Acceptable Need to be Improved Don't Know  
Risk Assessment & Management  
IT Asset Management (control of all SW & HW products, versions, etc.)  
IT Asset Configuration Management (control of options, settings, policies, etc.)  
Management of User and Device Rights & Privileges  
Management of User Passwords and Other Forms of Authorization  
Policies regarding use of removable devices like USB memory sticks  
Policies regarding the use and security of mobile devices  
Plant Operational, Maintenance, and Safety Procedures  
Process, Product and Plant Engineering Processes  
Supplier Selection and Procurement Processes  
  • Comment:

  • 500 characters left.
6.

How would you rate your company's ICS cyber security practices with respect to what you think is necessary for "good" ICS cyber security? 
*Please use comments to elaborate

 Good Acceptable Need to be Improved Don't Know  
Anti-Virus Updates Management  
Tracking of New Product Vulnerabilities & Threats  
Management of Recommended Security Patches  
System Vulnerability Assessment & Auditing  
Security Event and Alert Information Management  
Security Event and Alert Forensics  
Cyber Incident Management & Recovery  
Employee Security Training & Testing  
Contractor and Supplier Security Training & Testing  
  • Comment:

  • 500 characters left.

 Use of Cyber Security Technologies & Sevices

 
7.

Please describe your organization's use of next generation firewall (NGFW) capabilities to protect the perimeters and interiors of your industrial control systems.
*Note that we are asking if you actively use these capabilities to protect your control systems, not if you have these capabilities (most modern devices do).  

 Use Now Plan to use within 1 year Plan to use within 3 years Want to use, but no specific plans Don't use and no plan to use Don't know 
Stateful analysis and blocking of messages to specific endpoints
Deep Packet Inspection
Deep Packet Inspection for ICS protocols (e.g. Modbus, Profibus, Profinet)
Network Intrusion Detection (NIDS)
Network Intrusion Prevention (NIPS)
Network Access Control (NAC)
Universal Threat Management (UTM) (AV protection within the network itself)
Network Message Whitelisting
Data Diodes (one-way communication devices)
  • Comment:

  • 500 characters left.
8.

Please describe your organization's use of cyber security technologies to protect your industrial control systems and the associated endpoint devices. 
*Note that we are asking if you actively use these capabilities to protect your control systems not if your company has these capabilities. 

 Use Now Plan to use within 1 year Plan to use within 3 years Want to use, but no specific plans Don't use and no plan to use Don't know 
Anti-virus software
Application Whitelisting
Host-based Firewalls (Software)
Host Intrusion Detection (HIDS)
Host Intrusion Prevention (HIPS)
Security Information & Event Management (SIEM)
Analytics-based Cyber Forensics
Encryption and Anti-Virus Protection of USB Ports
  • Comment:

  • 500 characters left.
9.
Following are ideas that ICS cyber security suppliers are considering in their product development programs.  How would prioritize them considering your own program needs and plans? 
*Please use comments for other ideas and to elaborate on your specific needs.
 High Priority Moderate Priority Low Priority Don't Know  
Integrated management of ICS network and endpoint security settings  
Better tools for managing user rights, privileges, and passwords  
Better tools for managing mobile device security  
Multi-factor authorization solutions  
Better tools for evaluating the relevance of vulnerability and threat advisories  
Tools to check for control system vulnerabilities, not just IT system checks  
Hot patching of ICS products (i.e. updates w/o reboots, loss of scan, etc.)  
  • Comment:

  • 500 characters left.

 Drivers, Inhibitors, and Key Concerns

 
10.

How important are the following in driving your investments in ICS cyber security processes and technologies.
* Please feel free to clarify and/or identify other important factors in comments

 A Key Driver Very Important Important Only a secondary consideration not important Don't Know 
Process Uptime/Availability
Process and People Safety
Protection of the Environment
Process Integrity
Regulatory requirements
Information Confidentiality
  • Comment:

  • 500 characters left.
11.

Which of the following are Major Constraints to your ICS cyber security efforts? (Please select all that are Major Constraints) 

Lack of top management concern and support
Lack of plant management concern and support
Lack of understanding of differences between IT and ICS cyber security
Lack of capital
Inability to show a financial payback
Lack of the resources with the expertise to manage and maintain the technology
Lack of required technologies/products
Other  
  • Comment:

  • 500 characters left.
12.

How would you characterize your organization's concern regarding the following ICS cyber security issues?
* Please use comments to clarify and/or identify other major concerns.

 Major concern Moderate Concern Minimal or No Concern Don't know  
Hacktivists  
Cyber Criminals  
Cyber Terrorists and/or CyberWarfare  
Internal Threats - Intentional by disgruntled or untrustworthy employees  
Internal Threats - Accidental changes to data, control programs, configurations, etc.  
More government intervention in ICS cyber security  
Increased vulnerability due to more integration with business systems  
Increased vulnerability due to use of wireless networks  
Increased vulnerability due to need to support BYOD  
Increased vulnerability due to more use of remote access  
  • Comment:

  • 500 characters left.

About your company and yourself to help categorize the responses

 
Required 13.

Which of the following best describes your organization's role in ICS Cyber Security?

End User
ICS/Automation Technology Provider
ICS/Automation System Integrator
Cyber Security Technology Provider
Cyber Security Services Provider
Cyber Security Consultant
Regulator or Government Agency
Academic or other researcher
Other  
Required 14.

What is your organization's primary industrial focus? (check all that apply)

Automotive
Chemical
Consumer Packaged Goods (CPG)
Electric Power Generation
Electric Power Transmission & Distribution
Electronics
Food and Beverage
Government
Machinery
Mining and Metals
Oil and Gas Exploration and Production
Pharmaceutical and Biotech
Pulp and Paper
Refining
Semiconductor
Transportation
Water and Wastewater
Other  
Required 15.
For which of the following regions should we consider your responses applicable? (Please check all that apply) 
North America
Latin America
Western Europe
Eastern Europe and FSU
Russia
Middle East
China
India
Japan
Rest of Asia
Australia
Other  
16.

Please provide the following information so that ARC can send you the results.
Sid Snitkin srsnitkin@arcweb.com will send you the results.


First Name:
Last Name:
Company Name:
Email Address:
emailaddress@xyz.com