Control System Cyber Security Annual Report 2022
This report is the latest in a series of annual projects, drawing from ongoing research by the Control System Cyber Security Association International ((CS)2AI) and its community of members and Strategic Alliance Partners (SAPs). Based in decades of Control System (CS) security survey development, research and analysis led by (CS)2AI Founder and Chairman Derek Harp and Co-Founder and President Bengt Gregory- Brown, the (CS)2AI team invited participation from our 24,000+ global membership and thousands of others in our extended community. We asked them key questions about their experiences in the front lines of operating, protecting, and defending Operational Technology (OT) systems and assets costing millions to billions in capital outlay, impacting as much or more in ongoing revenues, and affecting the daily lives and business operations of enterprises worldwide. Over 580 of them responded to our primary survey and many others participated in numerous secondary data gathering tools which we run periodically.
This pool of data, submitted anonymously to ensure the exclusion of organizational politics and vendor influences, has offered insights into the realities faced by individuals and organizations responsible for CS/OT operations and assets beyond what could fit into this report. We hope the details we have selected to include serve the decision support need we set out to answer.
Project objective
The (CS)2AI-KPMG Control System Cyber Security Report Steering Committee launched the project to collect, analyze and report on data from professionals working in control system cyber security in the first quarter of 2021, with the goal of producing another in our annual series of informative decision-making tools for everyone involved with this work, whether end-users or vendors, leaders or operational.
To gather our data we invited participation in the survey component through a wide range of broadcast and direct channels, targeting all parties actively engaged in the cyber security of Control Systems. Our respondents included professionals at all organizational levels: cyber security specialists and subject matter experts (SMEs) as well as those whose work includes but does not necessarily consist solely of securing and protecting control systems.
Survey methodology
The (CS)2AI-KPMG Control System Cyber Security Survey and Report was a collaborative effort of the following entities:
— (CS)2AI: As the originator of the project, (CS)2AI held the primary role in developing, leading and implementing the project, including producing the project deliverable of authoring this report.
— KPMG: As the Title Project Sponsor, KPMG provided primary support in the form of funding and human and organization resources to augment (CS)2AI’s own capabilities.
— Additional sponsors: non-Title Sponsors provided additional funding and human and organization resources where possible. (See Appendix D: Report sponsors).
Pursuant to the project objectives stated above, (CS)2AI and the project sponsors distributed multiple online surveys to members of the CS/OT working in the field during the second and third quarters of 2021, collecting key data around CS events, activities and technologies as well as regarding how organizations are responding to ongoing developments in the threatscape.1 (CS)2AI invited participation from its associated members, known OT security defenders and researchers, distributed the survey through various social media channels, and promoted it on sites serving the CS cyber security workforce, with the intent to collect as wide a sample as possible. Respondents self-selected by affirming their involvement with the field of CS Cyber Security.
The ability to parse our participants into different groups and consider their responses in light of their group associations is key to the insights derived from this annual research project. In our view, the survey participants’ control system cyber security program maturity is the most important dimension. We asked each participant to choose which of the following descriptors best fit the situation in their organization.