A common best practice in any field is to benchmark performance or results against industry norms. In the case of industrial control systems (ICS), security breach benchmarking is a challenge.
There isn’t a lot of data available and the data sets that are available are not as extensive or as granular as one would like. Informal information sharing occurs through government bodies, consulting firms and security vendors as well as at conferences. Unfortunately, it’s not available to many people involved with designing and operating network infrastructure in the manufacturing and process control fields.
Having said that, there is some ICS security breach data available and it is worthwhile to obtain it, review it and reflect on it. This article provides a list of freely available information on the state of industrial security and provides some context for each source.
Don’t have your head in the sand. Take advantage of freely available ICS security breach data to evaluate and improve your industrial security programs.
Let’s first look at data sources that specifically address cyber security for industrial control and automation systems and then we’ll review those that cover a broader set of organizations.
a. SANS ICS Security Survey – Quantitative Data and Good Recommendations
The SANS Institute is a large and established organization dedicated to cooperative research and education about cyber security. It started with an IT focus, but post-Stuxnet SANS started an ICS security-specific practice.
Besides offering training, including an industrial cyber security professional certification, SANS does an annual survey open to all industrial organizations. Survey results are published in a written report and presented in a webcast.
Today SANS is presenting the results of its 2016 survey:
The advantage of the SANS survey results are that they are ICS specific, quantitative and identify changes in cyber security challenges and practices over time. Also, the survey report includes industrial-focused security recommendations that should be evaluated for your own cyber security programs.
We summarized the SANS 2015 results in this article and also called out areas where Belden’s recommendations are slightly different that those of SANS.
b. ICS-CERT – U.S. Focused Data for Critical Infrastructure Industries
You are likely familiar with ICS-CERT , a U.S. government agency that publishes alerts and reports about control systems-related security incidents and mitigation measures. It focuses on critical infrastructure industries and its incident reporting is part of the information sharing mandate of the National Cyber security and Communications Integr??ation Center (NCCIC). Its data is not comprehensive because not all parties choose to share incident reports.
ICS-CERT also publishes a newsletter (NCCIC/ICS-CERT Monitor) every 2 months which covers its recent activities and information about products affecting industrial control systems. Some of these newsletters contain incident response statistics, like the November/December 2015 edition did. An example of the data they release is shown below.
In 2015 ICS-CERT responded to 295 cyber incidents involving critical infrastructure. Critical manufacturing accounted for 33% of all incidents and the high number is primarily due to a widespread spear phishing campaign.
(Source: NCCIC/ICS-CERT Monitor Nov-Dec 2015)
While the “state of security“ data ICS-CERT releases publicly is quite limited, overall the organization provides a wealth of resources for the SCADA security practitioner.
c. RISI – Historical Industrial Security Data
RISI, or the Repository of Industrial Security Incidents, was a valuable source of industrial cyber security incidents from about 2008 to about 2014. Unfortunately when the founders of the initiative moved on to other roles, its management and voice in the community dissipated. (Here’s hoping it can be revived somehow.)
Rather than just focusing on external attacks, RISI incident reporting included incidents deemed “accidental inappropriate control.” This was key to informing the ICS community that many industrial cyber security incidents were unintentional and caused by device and software failure or human error.
You can still search the RISI online incident database by industry, country and year to find out about past incidents and their impacts. This may be helpful in providing historical examples of cyber incidents.
d. Fee-based ICS Security Reports
A number of the information technology research companies offer fee-based reports and services on industrial security. The advantages of this information are that it often contains useful quantitative data and it includes recommendations resulting from discussions with a broad cross-section of end user organizations as well as vendors.
Research firms also offer analyst advisory services and these can be very helpful in providing input, especially if there is a lack of internal alignment on strategy, priorities or vendor selection.
Even if you do not buy their reports, it is a good idea to read the report abstracts and table of contents and to search the research company websites for freely available information.
There are a number of sources of cyber security that cover all sectors of the economy plus government and public institutions. This data is released by organizations that supply cyber security services or products and represents their synthesis of trends or data from across their customer base.
While IT-focused, these reports provide overall trends that provide relevant context for industrial networking professionals and some include ICS or manufacturing-specific information.
a. Verizon Security Breach Reports – IT Focused Real-World Data
Besides its telecommunication services, Verizon has a “RISK” team that does field investigations of security breach incidents – over 500 of them in 40 companies around the world in 2015.
Starting in 2008, Verizon started producing a Data Breach Investigations Report (DBIR), an annual publication that dissects real-word data breaches and reports on trends and patterns found in an aggregated incident data set. They also produce a companion report called the Data Breach Digest (DBD) that gives a first-hand look at cyber investigations from their teams in the field.
Here’s an example of useful info from the DBIR. In 2015, the top threat action was spear phishing. Could such attacks get to engineering workstations in your operation and infect the control network from there? While there is a lot of data to digest in the DBIR, it is a very worthwhile security threat overview – plus its sassy writing style is engaging and more fun to read than you might image.
The DBD is fascinating because it gives the details on real cyber-investigations. The 2016 report includes a Hactivist attack (Scenario 8) on a water company given the fictional name KWC. We commented on the KWC incident and compared its security posture with another water/wastewater company that proactively segmented and secured its systems.
The DBR includes “Attack-Defend Cards” for each scenario and these might be useful tools for you.
b. Other Security Breach Reports
Other security vendors and consulting firms also produce annual threat or security breach reports; the major ones are listed below. Like the Verizon reports, these documents require significant resources to put together, so we should all be thankful that they are created and made available for free.
While IT- rather than ICS-focused, it is important to be aware of the overall threat environment and think about the warnings or lessons it provides for SCADA systems.
All of the data sources given above provide guidance on the state of industrial cyber security and what to do about it. If you have not been using these resources, take your head out of the sand and use this free information to evaluate and improve your industrial security programs.
What data sources do you turn to for ICS security information? We look forward to hearing from you.
“State of ICS Security” Resources
Industrial Cyber Security “How-to” Resources