By Heather MacKenzie
Do you believe your control system is in more danger from cyberattacks now than it was a year ago? How does this compare with what other organizations are experiencing? How does your company compare to others in terms of doing security assessments? What security initiatives are others prioritizing?
If any of these questions are of interest, you will want to study the “SANS 2016 State of ICS Security Survey” report. This is one of the only no-charge sources of ICS security data available. It also has the advantages of being an annual report, so it is possible to identify changes over time. It also provides quantitative statistics.
This year I am going to comment on three aspects of the report’s findings: Security threats and perceptions, security visibility and the convergence of IT and OT.
Threats and Perceptions
More than 300 industrial entities completed the SANS survey and a key finding is 67 percent of them perceive the threat level to control systems as severe or high, up significantly from 43 percent in 2015. Factors contributing to the increased perception of threat include:
• The increasing numbers of unsupported or unpatchable systems in control networks. An example would be devices using embedded Windows XP, that haven’t been readily replaced because of the domino effect of doing so.
• High-profile, successful attacks on control systems such as the German steel mill and the Ukraine power grid.
The top three threat vectors organizations worry about most are external threats, internal threats and malware families. One threat that decreased year-to-year is that posed by IT/OT integration.
Internal threats were a concern of 42 percent of respondents and this is up over 21 percent from last year. I was glad to see this category further broken down, as it wasn’t in the past. The new breakdown shows intentional internal incidents separately from unintentional internal incidents. Interestingly unintentional internal threats are the second highest perceived threat overall.
This type of threat could be a human error such as a misconfiguration, inadvertent use of an infected USB flash drive or responding to a spear phishing email. Alternatively, with a lot of legacy equipment in use, it could be from a device or software error. Since the top business driver for control system security is ensuring reliability and availability, it points to the need to prioritize measures such as configuration and change management monitoring for safeguarding uptime.
While the 2015 SANS report devoted a large percentage of its comments to security controls and methodologies, the 2016 SANS report focuses on security visibility. This might reflect the fact industrial organizations are more mature in terms of the level of security programs they are executing now.
For example, in the past, organizations wanting to improve their security posture would include doing a risk assessment, identifying key assets or systems and protecting them first, making sure to have a well-designed network with good segmentation as per ISA IEC 62443, implementing Defense in Depth measures and using industrial firewalls as compensatory controls for vulnerable devices that cannot be easily secured any other way.
One indication industrial security has moved forward, and not just at the big energy entities, is the widespread use of cybersecurity standards. The 2016 SANS report finds that 47 percent of respondents use the NIST guidelines and most organizations are mapping their security measures to more than one set of standards.
So what’s next? One area is “basic hygiene,” which in the IT world means to implement security visibility controls such as intrusion detection, log management, configuration management and file integrity monitoring.
While the tools IT uses for security visibility are not necessarily suitable for high availability control networks, the 2016 SANS report points out that a way to start on improved visibility is with security assessments. These include documenting assets and network connections and increasing sophistication to include things like network traffic baselining, security breach detection, vulnerability identification and remediation tracking.
In terms of where industry is today, only 26 percent of respondents have conducted a security assessment in the last 3 months. In addition, 31 percent have not done one for more than a year or have never done one.
When a security assessment is completed, the next step is to follow it up with security monitoring. If you are from the ICS side of your business, these types of measures could be new.
SANS said 46 percent of the respondents to the survey have job responsibilities that cover IT and OT and the balance of the respondents were purely either IT or OT. No matter how you look at it, that is a high percentage of people with joint responsibilities.
I suspect people with joint responsibilities originated from the IT organization, simply from the fact the second highest cybersecurity standard used by survey respondents is the SANS 20 Critical Security Controls. This is a set of controls not well known by ICS professionals.
However, wherever they originate, let’s be thankful that more people have joint IT and OT responsibilities. Of all the security challenges that exist, maybe getting these two groups to cooperate is not as big of a challenge as we feared. One thing I can say to the ICS people – in order to improve your organization’s security posture, you are just going to have to cooperate closely with IT.
Upping security controls to include things like configuration compliance monitoring, regular security assessments and the utilization of threat intelligence engines is not something most operations engineers can or want to do. However, becoming familiar with the tools and providing expertise that protects the running of mission-critical control networks is essential.
Heather MacKenzie is with Tofino Security, a Belden company. Click here to view Heather’s full blog.