These Prescriptive Steps Can Help the State of Security in Your ICS Network Environment
At this point, I’ve written a number of times about the increasing threat to the security of Industrial Control Systems (ICS) and Critical Infrastructure networks. I’ve pointed to a changing threat landscape and to inherent flaws and systemic security risks within these networks that make them difficult to protect. I’ve presented a thesis that we’ve lost a decade worth of security advancement while waiting for threats to manifest, and suggested that 2017 has shown us that the nightmare scenarios we’ve discussed may be right over the horizon.
Hopefully you’ve read those articles with an open mind and taken away from them what I’ve intended – a sense of urgency, a realization that these networks must be a top priority in your security strategy, and a motivation to convince your organization to act. If you haven’t read these articles, I invite you do so today.
Many of us believe that securing these networks is the challenge of our industry for the next decade, that we’ve known of security weaknesses for far too long, and that lip service can no longer be the status quo in dealing with them. The National Infrastructure Advisory Council (NIAC), which is comprised of leaders across critical infrastructure industries, stated in their recent report to the Trump Administration that, “The challenges…are well-known and reflected in study after study. There is a narrow and fleeting window of opportunity before a watershed, 9/11-level cyber-attack to organize effectively and take bold action. We call on the Administration to use this moment of foresight to take bold, decisive actions,” and I could not agree with them more.
In the spirit of taking concrete steps – I thought I’d use this opportunity to outline a few prescriptive steps that can be followed to do something about the state of security in your own ICS network environment.
We’ll reserve more of the technical focus for next month’s article – which will be jointly penned with Eric Cosman, founding member and present co-chair of the ISA99 committee (IEC – 62443) on industrial automation and control systems security.
For this part, we’ll look more at the macro level of what needs to be done:
1. Acknowledge the threat and communicate it LOUDLY across your organization: A year ago, you might struggle to find examples that would be cause for pause or turn heads inside your organization. Today, you should be able to clearly demonstrate the need for action. The continued probing of global Energy and Nuclear facilities as documented in a July alert by ICS-CERT/a subsequent September report by Symantec is a good case in point. The spill-over of ransomware in the WannaCry and Petya/NotPetya campaigns into ICS environments will likely be more of an immediate head-turner. To date, more than $900m in losses have been attributed to the Petya/NotPetya campaign – it interrupted production across major global brands and it is a perfect example of the type of impact a security event could have inside your organization.
2. Stand up a project NOW – this year – to improve security for your ICS network as early as possible into 2018: If you believe the thesis that the threat is growing and we will see more attacks in the very near future, then there is no time but the present to take action. As the NIAC stated “…a narrow and fleeting window of opportunity,” is upon us. You know as well as I do how slow the pace of change can be. Putting an “ICS Security Project” on your roadmap two or three quarters from now is going to do nothing to help you combat attacks until 2019 or beyond. You’ve got fewer than 90 days left in 2017, you’ve likely submitted or will be submitting very shortly an initial security budget request…you should be standing up a project which focuses on practical, impactful and near-term deployable solutions before the year is out, putting dollars in your 2018 budget, getting the wheels turning so that you can be looking at something production ready by middle of 2018 latest.
3. Talk to your suppliers, your peers and industry analysts about where you should be focusing: In the past few months, a number of the world’s biggest ICS equipment vendors have announced partnerships with cybersecurity firms. These are the people that make your network gear/that have a responsibility to help you protect it. Talk to them – get their input on where they think you need to focus. Talk with your peers – while the pace of adoption of new security controls is slow at current, many have been making strides in the past two years towards a more secure future. Talk to the big analyst houses and the boutique ICS firms as well – get guidance on where you need to invest your time and money.
4. Tackle the biggest issues first: Asset discovery is a major issue in ICS network environments. “No way, Galina – we know exactly what is in our network. I have it all documented right here on this Excel spreadsheet dated this time last year.” Trust me, this is a norm in this space. I cannot even enumerate how many times we’ve walked into an engagement and immediately shown the practioner a huge list of assets they didn’t even know they had. You can’t secure what you don’t know you have. So, prioritize asset discovery. Also – look into monitoring solutions specifically built for the ICS domain. There are half or dozen or so companies engaged in this space. You have to start with a solid foundation – you need to know what is coming and going/what “normal” is in these environments so that you can get on the path to rapid detection, response and remediation of threats.
We’ll look at more of what you can do in the next article. Hopefully, the above gives you a little bit to think about and a potential roadmap for action. If it doesn’t resonate, make your own list of steps to take and please, take them! The time for debate is over and any more time spent discussing whether or not the threat is real – well, it is just going to result in a lot of pain in the not too distant future.