ICS-CERT Examines 3 Years of Data to Reveal Common Vulnerabilities for Critical Asset Owners

Lack of formal documentation, event monitoring, and permissions and privileges control, remain common among industrial control system environments, according to the Department of Homeland Security.

The assessment identified security gaps in the enterprise and control system networks for over 230 critical asset owners, the Industrial Control Systems-Computer Emergency Response Team (ICS-CERT) said in its latest issues of ICS-CERT Monitor. The assessments were designed to strengthen the country’s critical infrastructure’s overall security posture.

Lack of formal documentation for processes and policies within the organization was a common security gap across industrial control system operators, owners, and manufacturers, ICS-CERT said. Poor systems access controls in place meant organizations were not properly controlling who had the proper permissions to access the network and various resources. Privilege management and access controls are important in these kind of sensitive networks.

“ICS-CERT encourages asset owners to review their network for these common security gaps and take measures to eliminate known system vulnerabilities,” ICS-CERT wrote.

Another common gap was in event monitoring, as organizations were falling behind on audits and accountability. This included issues such as not having security audits or assessments at all, and poor—or none at all— logging practices. For some organizations, the network architecture was not well understood, or the administrators were not consistently enforcing remote login policies or controlling incoming and outgoing media.

ICS-CERT used the newly launched CyberSecurity Evaluation Tool (CSET) and compared each organization’s security practices against accepted industry standards.

Other common security weaknesses included improper authentication controls and credentials management. In many cases, the network was designed poorly, such as not defining a security perimeter or improperly configured firewalls. Network devices were not properly configured and some in some cases, there was little or no monitoring by intrusion detection systems taking place. Along with improperly deployed network devices, the assessment uncovered configuration issues, such as weak testing environments, weak backup and restore capabilities, and poor or limited patch management.

The three year onsite assessment reviewed existing customer systems to discover possible vulnerabilities as well as developing strategies for effective defense-in-depth processes. Organizations also learned about national cybersecurity standards, industry-based recommendations, and best practices as part of the assessment.

“The assessments also assisted these organizations in identifying and prioritizing their most critical vulnerabilities requiring immediate attention and provided real-time resolutions and recommendations for enhancing their security awareness and defensive posture,” ICS-CERT said.

Related Reading: Critical Infrastructure is the New Battleground for Cyber Security

Related Reading: Putting SCADA Protection on the Radar

Related Reading: SCADA Honeypots Shed Light on Attacks Against Critical Infrastructure