How is your organization doing relative to others in terms of how many security breaches occur on your control systems and how well you identify their sources? What about the size of your security budget versus others? Or how well you are managing the convergence of IT and OT systems?
If you would like to know the answer to these questions, the SANS Institute has a report for you. And, the good news is you can download it for free.
The results of the 2015 SANS survey to more than 300 industrial respondents are available. I want to draw your attention to this useful resource and to highlight a few of its findings. I also want to point out a few areas where Belden’s experience and recommendations are slightly different than those of SANS.
Reports from organizations like SANS help you stay current with ICS security best practices.
SANS Institute – An Important ICS Security Resource
Post Stuxnet, SANS, an organization dedicated to cooperative research and education about cybersecurity, began an ICS security-specific practice. Today it now provides an annual report on the state of industrial control security. In addition, through its extensive training program, SANS offers industrial cybersecurity professional certification.
Bottom line, if you are not familiar with SANS, take the time to find out about it and how your organization can benefit from its work.
Tripwire, a Belden-owned company, has worked extensively with SANS. In particular, the SANS 20 Critical Security Controls (CSC), a prioritized list of security controls that maps to the NIST framework, was developed with the input of many organizations and experts, including Tripwire. (FYI, Tripwire provides additional resources on the SANS 20 CSC that might be useful to you.)
While we are on the topic of useful resources, I would also like to point out RISI. RISI stands for the Repository of Industrial Security Incidents and it is a free database of security events. RISI is owned and managed by exida, an industrial cybersecurity and safety consulting company, and it is funded by member contributions. Though much smaller and more focused than SANS, it does provide useful information.
What Are the Most Important Industrial Security Threats and Drivers?
One thing that is not a shocker in the SANS report is that respondents indicate their primary concern about the security of control systems is ensuring their reliability and availability. Let’s keep this thought in mind as we examine some of the other data.
For example, the most concerning threat vector identified by respondents is external actors (73% of respondents put this as one of their top three concerns). With high profile cyberattacks (Sony, Target) and malware (Duqu 2) making headlines in the mainstream media, it is not surprising that companies are concerned about such threats.
The second most pressing concern identified by survey respondents is internal threats (49%), followed by integration of IT into control system networks (46%).
The internal threat category is not broken down. I assume it includes the deliberate actions of insiders as well as accidental incidents. I point that out because previous RISI data indicated that unintentional attacks, particularly due to device and software failure, were particularly important.
According to 2011 RISI data, most cybersecurity threats and incidents are unintentional and occur inside industrial networks.
IT and ICS Convergence
IT and control systems are integrating more and more, particularly with the advent of the Industrial Internet of Things. Thus an interesting aspect of the new SANS data pertains to the state of organizations’ planning efforts around convergence.
The good news is that the importance of having a security strategy that addresses convergence is recognized by 83% of the survey respondents. The more challenging news is that only 47% of them actually have a strategy.
Another interesting data point is that a majority of participants indicate a least a moderate level of collaboration exists between IT and control system operations groups. They also indicate that the level of collaboration is increasing. For some tips on how to collaborate, see this previous article on how IT and OT must adapt.
Important Industrial Cybersecurity Controls
The SANS report does a good job of indicating both the security control and methodologies being used by respondents and recommending some that should be used. (For information on Belden and Tripwire products that address particular security controls, see the Related Links section at the end of this article.) While mainly in agreement with the SANS recommendations, Belden would recommend the additional measures of:
- Doing regular risk assessments and including risk from control system devices and software
- Making Defense in Depth an important aspect of the ICS security program
- Implementing excellent industrial Ethernet infrastructure design, particularly good network segmentation, as a security control
- Identifying key assets in your plant or process and provide extra protection to protect them from device and software faults internal to the network
- Using industrial firewalls as compensatory controls for vulnerable devices such as computers and machines that use Windows XP
- Including activation and use of the security features built into networks devices such as switches and routers as security controls
There is one area where we diverge with SANS. SANS recommends protecting the weakest points of the system first, in particular industrial protocols. We are in absolute agreement that industrial protocols need to be protected using DPI technology, and we offer some of the few products on the market that do it.
However, overall we recommend that companies focus on the last bullet point first and “protect the crown jewels” first, i.e. the systems what would cause a complete disaster if they were to shutdown, due to either malicious or accidental causes.
Utilize the SANS Report and Consider SANS Training
The SANS report includes a lot of excellent information and most of it is not covered here. I recommend you read it and that you also consider their courses as a way to increase the ICS security skills in your organization.
What is the state of security in your control system? Do your practices confirm with or diverge from the reported data? I look forward to hearing from you.
- SANS Report: The State of Security in Control Systems Today
- RISI Linkedin Group: Repository of Industrial Security Incidents
- Webpage: Belden Industrial Ethernet Infrastructure Design Seminar
- Blog: ICS Security: Highlights of the SANS 2016 Survey
- Blog: Industrial Networking: Easy Security Risk Assessment
- Blog: Defense in Depth Part 2: Layering Multiple Defenses
- Blog: What Advanced Persistent Threats (APTs) Can Teach the ICS and SCADA Security Practitioner – Part 1
- Blog:Industrial Ethernet Switches Enhance Cybersecurity at No Cost
- Blog: Windows XP End of Service – Industrial Firewalls Are an Easy Fix
- Blog: SCADA Security and Deep Packet Inspection - Part 1
Belden Industrial Firewalls
- Webpage: Security Capabilities
- Webpage: Tofino Xenon Industrial Firewall
- Product Bulletin: Tofino Modbus TCP Enforcer (Deep Packet Inspection)
- Product Bulletin: Tofino OPC Classic Enforcer (Deep Packet Inspection)
- Product Bulletin: EtherNet/IP Enforcer (Deep Packet Inspection)
Tripwire Solutions for Industrial Control Systems
- Tripwire Enterprise – advanced threat detection capabilities and log management, including support for industrial IT systems
- Tripwire Technology Alliance Program – integration between Tripwire Enterprise and partners’ products to identify malicious software on critical servers
- Tripwire Vulnerability Management - products that include specific rules for industrial IT systems
- Tripwire NERC Solution Suite – used extensively with industrial control systems
- Reducing Risk with SANS 20 Critical Security Controls