By Derek Harp, (CS)²AI Founder, Chairman and Fellow
April, 2021
I am proud to announce today that the work to produce the 2021 (CS)²AI-KPMG Control System Cyber Security Report has begun!
I would like to ask you to join our Members helping Members effort by doing two things today:
Contribute to the body of knowledge and be one of the first to participate in the 2021 CS2AI annual survey right now today!
Share this article and/or the survey link with your network.
As the (CS)²AI organization continues to rapidly grow and evolve, foremost in my mind is the alignment of the diverse interests of key stakeholders among the people who make up our community. We are committed to increasing the range of respondents in every way to ensure the insights drawn from the data represent as many different stakeholders as possible.
In studying the data for our 2020 report, we did find some things we want to understand more and one of those is coloration of answers from very different respondents. If we assume typically that leadership sets the goals and provides the resources needed to achieve those, it follows that operations focuses on using the supplied resources to accomplish the mission. Yet when looking at top priorities reported by these two groups, we find that executives and non-executives do not always hold the same set of targets.
One area in which these two groups were in relatively close agreement is the low prioritization of cloud-based services in their control system environments. This caught my eye because the use of those same services is a major component of the technology trends variously referred to in terms such as the IT-OT Convergence, Industry/Industrie4.0, Digital Transformation, and Smart Factories (Cities, Grids, etc). Few if any control systems remain without multiple connections to one or more clouds, each creating potential exposures for attackers to exploit. So why isn’t the security of these connections and the services running over them a top priority? We have some clues and are working on further research to dig deeper into this question.
Probably our greatest area of success in this research project has been identifying some clear differences between organizations at opposite ends of the cyber security program maturity scale. Areas like the use of managed security services, frequency and thoroughness of cyber security assessments, may seem self-evident places to find these differences, but we found the groups diverged in other important ways as well, such as what security technologies they had implemented and which attack vectors were used in cybersecurity incidents in their environments.
It is findings like these, ones that help organizational leadership identify the gaps their teams can target for the greatest potential security ROI, that we search for most diligently. The range of threats, exposures and vulnerabilities, and the array of methods and tools to protect our people and assets against them, are dynamic and vast, while the resources which can be brought to bear are always going to be limited. The need to work smarter, to maximize the effectiveness of the people, skills and funds, is what drives demand for key decision-making tools, and I’m very glad to say that feedback for (CS)²AI first annual control system cyber security report has confirmed we achieved our goal in creating such a tool.
If you did not get a chance to review the 2020 (CS)²AI-KPMG Control Systems Cyber Security Annual Report, A free copy can be downloaded here: https://www.cs2ai.org/reports
I would like to thank our title sponsor and Platinum Strategic Alliance Partner, KPMG for continuing to underwrite and contribute resources to this project and decision support tool for the community. I also would like to thank Waterfall Security Solutions, Fortinet, Tempered, Industrial Defender, Verve, Applied Risk, Bedrock Automation, Fend and GBQ for joining the effort to make the research and annual report better each year.
