How is your organization doing relative to others in terms of how many security breaches occur on your control systems and how well you identify their sources? What about the size of your security budget versus others? Or how well you are managing the convergence of IT and OT systems?
If you would like to know the answer to these questions, the SANS Institute has a report for you. And, the good news is you can download it for free.
The results of the 2015 SANS survey to more than 300 industrial respondents are available. I want to draw your attention to this useful resource and to highlight a few of its findings. I also want to point out a few areas where Belden’s experience and recommendations are slightly different than those of SANS.
Reports from organizations like SANS help you stay current with ICS security best practices.
Post Stuxnet, SANS, an organization dedicated to cooperative research and education about cybersecurity, began an ICS security-specific practice. Today it now provides an annual report on the state of industrial control security. In addition, through its extensive training program, SANS offers industrial cybersecurity professional certification.
Bottom line, if you are not familiar with SANS, take the time to find out about it and how your organization can benefit from its work.
Tripwire, a Belden-owned company, has worked extensively with SANS. In particular, the SANS 20 Critical Security Controls (CSC), a prioritized list of security controls that maps to the NIST framework, was developed with the input of many organizations and experts, including Tripwire. (FYI, Tripwire provides additional resources on the SANS 20 CSC that might be useful to you.)
While we are on the topic of useful resources, I would also like to point out RISI. RISI stands for the Repository of Industrial Security Incidents and it is a free database of security events. RISI is owned and managed by exida, an industrial cybersecurity and safety consulting company, and it is funded by member contributions. Though much smaller and more focused than SANS, it does provide useful information.
One thing that is not a shocker in the SANS report is that respondents indicate their primary concern about the security of control systems is ensuring their reliability and availability. Let’s keep this thought in mind as we examine some of the other data.
For example, the most concerning threat vector identified by respondents is external actors (73% of respondents put this as one of their top three concerns). With high profile cyberattacks (Sony, Target) and malware (Duqu 2) making headlines in the mainstream media, it is not surprising that companies are concerned about such threats.
The second most pressing concern identified by survey respondents is internal threats (49%), followed by integration of IT into control system networks (46%).
The internal threat category is not broken down. I assume it includes the deliberate actions of insiders as well as accidental incidents. I point that out because previous RISI data indicated that unintentional attacks, particularly due to device and software failure, were particularly important.
According to 2011 RISI data, most cybersecurity threats and incidents are unintentional and occur inside industrial networks.
IT and control systems are integrating more and more, particularly with the advent of the Industrial Internet of Things. Thus an interesting aspect of the new SANS data pertains to the state of organizations’ planning efforts around convergence.
The good news is that the importance of having a security strategy that addresses convergence is recognized by 83% of the survey respondents. The more challenging news is that only 47% of them actually have a strategy.
Another interesting data point is that a majority of participants indicate a least a moderate level of collaboration exists between IT and control system operations groups. They also indicate that the level of collaboration is increasing. For some tips on how to collaborate, see this previous article on how IT and OT must adapt.
The SANS report does a good job of indicating both the security control and methodologies being used by respondents and recommending some that should be used. (For information on Belden and Tripwire products that address particular security controls, see the Related Links section at the end of this article.)
While mainly in agreement with the SANS recommendations, Belden would recommend the additional measures of:
There is one area where we diverge with SANS. SANS recommends protecting the weakest points of the system first, in particular industrial protocols. We are in absolute agreement that industrial protocols need to be protected using DPI technology, and we offer some of the few products on the market that do it.
However, overall we recommend that companies focus on the last bullet point first and “protect the crown jewels” first, i.e. the systems what would cause a complete disaster if they were to shutdown, due to either malicious or accidental causes.
The SANS report includes a lot of excellent information and most of it is not covered here. I recommend you read it and that you also consider their courses as a way to increase the ICS security skills in your organization.
What is the state of security in your control system? Do your practices confirm with or diverge from the reported data? I look forward to hearing from you.
The white paper below highlights an advanced attack on manufacturers. Be sure to read the final section on “Defending Industrial Control Systems”. It may point out some risks you have not yet considered.
Belden Industrial Firewalls
Tripwire Solutions for Industrial Control Systems