Do you believe that your control system is in more danger from cyberattacks now than it was a year ago? How does this compare with what other organizations are experiencing? How does your company compare to others in terms of doing security assessments? What security initiatives are others prioritizing?
If any of these questions are of interest, you will want to study the “SANS 2016 State of ICS Security Survey” report. As I mentioned in a recent article on where to find hard-to-get ICS security data, this is one of the only no-charge sources of ICS security data available. It also has the advantages of being an annual report, so changes over time can be identified, and it provides quantitative statistics.
Last year when I reviewed the 2015 results, I summarized the security controls recommended by SANS and included some additional advice based on Belden’s field experience with customers. This year I am going to comment on 3 aspects of the report’s findings: security threats and perceptions, security visibility and the convergence of IT and OT. Read on to learn more and to find out where to obtain the report and related resources.
The electrical substation shown above represents the largest group of respondents to the 2016 SANS survey: energy and utility organizations. That’s not surprising since they receive high levels of cyberattacks.
More than 300 industrial entities completed the SANS survey and a key finding is that 67% of them perceive the threat level to control systems as severe or high, up significantly from 43% in 2015. Factors contributing to the increased perception of threat include:
The top three threat vectors that organizations are most concerned with are external threats, internal threats and malware families. One threat that decreased year-to-year is that posed by IT/OT integration.
Internal threats were a concern of 42% of respondents and this is up over 21% from last year. I was glad to see this category further broken down, as it wasn’t in the past. The new breakdown shows intentional internal incidents separately from unintentional internal incidents. Interestingly unintentional internal threats are the second highest perceived threat overall.
This type of threat could be a human error such as a misconfiguration, inadvertent use of an infected USB flash drive or responding to a spear phishing email. Alternatively, with a lot of legacy equipment in use, it could be from a device or software error. Since the top business driver for control system security is ensuring reliability and availability, it points to the need to prioritize measures such as configuration and change management monitoring for safeguarding uptime.
While the 2015 SANS report devoted a large percentage of its comments to security controls and methodologies, the 2016 SANS report focuses on security visibility. This might reflect the fact that industrial organizations are more mature in terms of the level of security programs they are executing now.
For example, in the past, Belden’s advice for organizations wanting to improve their security posture would include doing a risk assessment, identifying key assets or systems and protecting them first, making sure to have a well-designed network with good segmentation as per ISA IEC 62443, implementing Defense in Depth measures and using industrial firewalls as compensatory controls for vulnerable devices that cannot be easily secured any other way.
One indication that industrial security has moved forward, and not just at the big energy entities, is the widespread use of cybersecurity standards. The 2016 SANS report finds that 47% of respondents use the NIST guidelines and most organizations are mapping their security measures to more than one set of standards.
The chart above, taken from the SANS 2016 ICS Survey webcast slides, shows that the NIST Guide is the most widely used standard. Note that the “ISA99” standard is the same as ISA IEC 62443
So what’s next? One area that is considered “basic hygiene” in the IT world is to implement security visibility controls such as intrusion detection, log management, configuration management and file integrity monitoring.
While the tools that IT uses for security visibility are not necessarily suitable for high availability control networks, the 2016 SANS report points out that a way to start on improved visibility is with security assessments. These include documenting assets and network connections and increasing sophistication to include things like network traffic baselining, security breach detection, vulnerability identification and remediation tracking.
In terms of where industry is today, only 26% of respondents have conducted a security assessment in the last 3 months. 31% have not done one for more than a year or have never done one.
When a security assessment is completed, the next step is to follow it up with security monitoring. If you are from the ICS side of your business, these types of measures could be new to you. I suggest you read the 2016 SANS report to orient yourself to them, and then open a discussion with your IT colleagues to find out more. That nicely takes me to the next section….
In the opening minutes of the webcast that supports the report, SANS explains that 46% of the respondents to the survey have job responsibilities that cover both IT and OT and the balance of the respondents were purely either IT or OT. That is a high percentage of people with joint responsibilities!
I suspect that a lot of the people with joint responsibilities originated from the IT organization, simply from the fact that the second highest cybersecurity standard used by survey respondents is the SANS 20 Critical Security Controls. This is a set of controls that is not well known by ICS professionals.
However, wherever they originate, let’s be thankful that more people have joint IT and OT responsibilities. Of all the security challenges that exist, maybe getting these two groups to cooperate is not as big of a challenge as we feared. One thing that I can say to the ICS people – in order to improve your organization’s security posture, you are just going to have to cooperate closely with IT.
Upping security controls to include things like configuration compliance monitoring, regular security assessments and the utilization of threat intelligence engines is not something most operations engineers can or want to do. However, becoming familiar with the tools and providing expertise that protects the running of mission-critical control networks is essential.
The SANS report includes a lot of useful information and most of it is not covered here. I highly recommend you read it and also watch the webcast that accompanies the report. The comments of the webcast presenters will help you digest the report’s data.
Thank you to the SANS organization and to researchers Derek Harp and Bengt Gregory-Brown for providing these valuable resources.
What is the state of security in your control system? Do your practices confirm or diverge from the reported data? I look forward to hearing from you?