Three-fifths of the industrial control industry has not deployed security configuration management

Conducted during 2013 with the Ponemon Institute, the survey evaluates the attitudes of 1320 respondents from the US and UK.

The study has revealed that the industrial sector is less effective than other industries in deploying risk management controls and communicating effectively about security. While 51% use formal risk assessments to identify security risks (5% higher than the survey average), only 40% have fully or partially deployed security configuration management, differing from the survey average of 49%. And only 56% listed an "openness to challenge assumptions” as one of the top three features most critical to the success of a risk-based security management approach, 6% lower than the survey average.

"With the rapid escalation of critical infrastructure cybersecurity threats, industrial control organizations have a lot to do,” said Dwayne Melancon, chief technology officer for Tripwire. "It is encouraging that they are embracing a risk-based view of their operations at a higher than average rate, but this is not enough to protect them against determined attackers. It is imperative for this sector to get a handle on system hardening and configuration management practices to improve security and reliability.”

"Even though industrial sector organizations are actively considering security risks, they must also improve their willingness to elevate key risks to the executive level,” Melancon continued. "Security risks must be considered in context with overall business risk or the entire organization’s success will be in jeopardy.”

Tripwire is a provider of risk-based security and compliance management, enabling enterprises to effectively connect security to their business.