It is easy to say my system has never been under attack before so it will remain safe. But that “bury your head in the sand” mentality just will not cut it heading into the new year.
Just take a look at one power company that reported to ICS-CERT in early October they had a virus infection in a turbine control system which had an impact on ten control system network computers.
Discussion and analysis of the incident found a third-party technician used a USB-drive to upload software updates during a scheduled outage for equipment upgrades, according to ICS-CERT. Unknown to the technician, the USB-drive suffered from a crimeware infection. That infection resulted in downtime for the systems and delayed the plant restart by three weeks.
That just goes to show owners and operators of critical infrastructure should develop and implement baseline security policies for maintaining up-to-date antivirus definitions, managing system patching, and governing the use of removable media.
These practices will mitigate issues that could lead to extended system downtimes. Defense-in-depth strategies are also essential in planning control system networks and in providing protections to reduce the risk of impacts from cyber events.