The State of ICS: One Year Into the Cyber Executive Order
It’s been a full year since the new administration issued its first cyber executive order, “Presidential Executive Order (EO) on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure” with an emphasis on leadership accountability and a risk management approach to cybersecurity strategies, policies and practices. The EO also placed significant emphasis on the need for agency IT and cybersecurity personnel to expand their organization’s support for securing critical infrastructure (CI) assets.
As the one -year milestone approached last week, news outlets attempted to gauge the progress – or the lack thereof – that has taken place since the order was issued. Some highlights included:
- The National Security Council’s delayed cyber-deterrence strategy
- The elimination of the White House Cybersecurity Coordinator
- A new executive order strengthening CIO authority
- Newly published agency strategies that reflect the EO’s mandates
- The American Technology Council’s 1st year and its greatest accomplishment
If I were to summarize the headlines, I would probably say that progress has been “mixed”.
Tripwire recently released a report that is also being considered as an indicator of progress, specifically regarding the EO’s critical infrastructure security mandate. The “ICS Security in the Energy Industry” was conducted in March 2018, and its respondents included 151 IT and operational technology (OT) security professionals at energy and oil and gas companies, 28% of which self-identified as “government-managed” organizations.
Consistent with the indicators above, Tripwire’s data shows progress as “mixed” or “slow”.
On the one hand, we can view the glass “half-empty” (or mostly empty) by the fact that 81 percent of respondents from government-managed organizations still believe a cyberattack could result in a catastrophic event (approx. 10% higher than non-government managed organizations) and 64 percent view the probability of a security attack on ICS systems still as “likely” or “inevitable”.
*** This is a Security Bloggers Network syndicated blog from The State of Security authored by Mitch Jukanovich. Read the original post at: https://www.tripwire.com/state-of-security/ics-security/the-state-of-ics-one-year-into-the-cyber-executive-order/