ENISA, the European Union Agency for Network and Information Security, has analyzed the current maturity level of ICS/SCADA cybersecurity in Europe and provided recommendations for improvement.
The number of cybersecurity incidents involving SCADA (supervisory control and data acquisition) and industrial control systems (ICS) in general has increased considerably in the past years. In 2014, the United States Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) received reports about 245 incidents, over half of which are believed to have involved advanced persistent threats (APTs).
ENISA has conducted research and a series of interviews with officials from eight EU member states to establish maturity levels for ICS/SCADA security and determine which areas can be improved. The member states involved in the study were Estonia, France, Germany, Lithuania, the Netherlands, Poland, Spain and Sweden.
ICS/SCADA Security Maturity Levels
The agency has identified four maturity profiles based on legislation; support for service providers in improving ICS/SCADA security via incentives, education, and specialized agencies; and local conditions, which focus on the improvement potential, opportunities and challenges of member states.
The third level, “reactive supporters,” focus on lessons learned and reactive means for improving ICS security. On the lowest level are “early developers,” countries that are in the process of developing legislation and support for improving critical infrastructure security.
Positive Examples
ENISA has analyzed a dozen areas that are important for a good ICS security posture, including organizational structures, regulations and policies, incentives, incident handling, education, training, R&D, information sharing, and auditing. For each of these areas, the report identifies EU member states that set a good example.
When it comes to organizational structures, Poland, Germany and France set a good example as they’ve all designated an authority that is responsible for critical infrastructure security. In Poland, for example, each critical infrastructure operator has a security liaison officer who reports major security incidents to authorities.
Poland also sets a good example in the policies and regulations area, along with Germany, France and Spain. Spanish regulations, for instance, dictate that every critical infrastructure operator must have a security plan in place, including methodology and guidelines for implementing proper security measures.
Many EU member states believe that the critical infrastructure operator is responsible for securing its systems and don’t offer any incentives. On the other hand, ENISA has found that operators expect incentives as a form of support from member states or the European Union.
The list of possible incentives includes refinancing of ICS cybersecurity activities, tax exemption, and lower insurance rates. However, currently only Estonia sponsors voluntary ICS security assessments.
Recommendations
ENISA has provided a series of recommendations that policy and decision makers can focus on to improve ICS cybersecurity maturity levels. The first recommendation is that ICS/SCADA security efforts should be aligned with critical information infrastructure protection and national cyber security strategies.
Secondly, EU member states are advised to develop good practices specific to ICS/SCADA security. Another recommendation focuses on creating a standard for information sharing between critical sectors and member states.
Raising awareness, training and educational programs, and ICS-specific research are also on the list of ENISA’s recommendations.
The complete report, titled “Analysis of ICS-SCADA Cyber Security Maturity Levels in Critical Sectors,” is available on ENISA’s website.