There is a pressing need for technical assurance standards for industrial control systems (ICS). This is the conclusion and recommendation of a new paper from CREST (a leading UK accreditation body), and is supported by the UK National Cyber Security Centre (NCSC). That need just got stronger if, as now suspected, NotPetya and perhaps WannaCry, were cyber weapons tests. An encryption/wiper inside the critical infrastructure could have dire effects.
The danger is discussed in the stated rationale for the paper (PDF) titled ‘Industrial Control Systems – Technical Security Assurance Position Paper’. “The increased connectivity of ICS environments and their use of conventional IT infrastructure components and protocols has enlarged the attack surface that can be exploited by ever more sophisticated cyber security attackers, such as state-sponsored attacks, organised cybercrime and extremist groups.”
The problem for ICS is that while the attack surface is growing, the resistance against implementing new security controls that might disturb operational continuity remains high. “Securing ICS environments in many organisations is technically demanding and difficult to undertake (obscure and often obsolete technology, limited resources, high degree of sensitivity),” notes the report. Although there are several published frameworks for securing ICS environments — including NIST SP.800-82r2, CPNI Security for Industrial Control Systems, IEC 62443, and ISA99 — there is a lack of mandatory standards on how to test and assure that security.
The report notes that technical security testing specialists consider “inadequate management support (eg. lack of budget, poor resourcing, low risk appetite) as the most important factor affecting the ability to secure ICS environments and undertake technical security testing activities.” Other difficulties include the evaporation of the air gap between IT and OT as a viable security control; cultural barriers and a resistance to change; the shortage of skilled resources; and a high degree of technical complexity and obscurity.
The effect of a difficult testing environment and a lack of management drive means that ICS environment owners and operators have no objective way of knowing whether cyber risk is being adequately managed; and at present there is no definitive standard for testing ICS environments that is mandated by regulatory bodies. “Frequent technical security assurance provides stakeholders, both inside and outside the organisation, with objective fact-based information on what remediation is required, why it is required and how it should be applied,” says CREST. The purpose of this paper is to lay the groundwork for developing such standards.
“ICS environment owners require assurances that risk is being identified, assessed and evaluated,” says Ian Glover, president of CREST. “Above all else they need to know that there are appropriate measures in place to manage and mitigate risk. Research on the project,” he continued, “has helped to identify the high-level characteristics of a practical technical security testing approach and organisations should consider how this could add value and protection. It is clear that ICS environments are more sensitive than conventional IT environments and any penetration testing of systems needs to be planned and undertaken with a high degree of trust, skill and caution.”
CREST’s research confirmed that the overall context for all technical security testing should be provided by ICS environment owners (for example, all technical security testing should be business-led) and that the approach should be standards based. From this it developed a six-point standards-based testing process: define and agree scope; assess risks; undertake discovery; develop test plan; conduct technical security tests; and analyze and report test results.
The scoping process requires that the tests be aligned to the strategic, process and system requirements of the organization. “It is important,” says CREST, “to be able to make this connection for all stakeholders and ensure there is a good understanding of the strategic, process and systems context as risk identified in ICS environments will have relevance at all three levels in the organisation.”
Risk assessment explores the main threats and vulnerabilities of the ICS environment and determines the key risks and likely risk scenarios to be tested. Threat intelligence, says the paper, can “come from a wide variety of sources including the dark web, inside industry sources, open source monitoring, government sources and hacking forums.”
The discovery step is designed to determine the specific devices that make up the infrastructure, systems and services in the ICS environment.
Developing a test plan requires a schedule of carefully constructed offline and online tests that are designed to assess the key risks of the ICS environment. There are, suggests CREST, proven test methods that can be used. “While as a general rule online technical security testing in ICS environments should be used with caution,” says the report, “there are a variety of measures that can be taken to ensure services are aligned with the needs of the client and the risk of disruption is minimised.”
Conducting the technical security tests involves a combination of offline and online tests that help to assess the ICS environment in a progressive check-test-check manner. “Research on the project has shown that Red Teaming is regarded by technical security testers working in ICS environments as a particularly valuable testing technique,” notes the paper.
The final step, analysis and reporting, should document and report test results that are aligned to the business objectives and scope agreed with the ICS environment owner.
“This Position Paper,” concludes CREST, “has identified a variety of actions that can be taken to help improve the uptake and use of technical security testing in ICS environments but of fundamental importance is the need to develop a standard for conducting technical security testing and the certification of organisations capable of providing technical testing services against this standard.” It urges that work should start on developing its proposals into a “standard to help provide assurance that cyber risks are being managed in ICS environments.”
It has the backing of the UK National Cyber Security Centre (NCSC). “We believe this paper provides a valuable contribution to the current thinking on this challenging topic and we look forward to working with CREST, as well as ICS operators and the cyber security industry.”
Related: Learn More at SecurityWeek’s 2017 ICS Cyber Security Conference