Here are a few stories that turned our heads in Operational Technology (OT)/ Industrial Control Systems (ICS) security over the past week:
U.S. Department of Energy: Department of Energy Invests $8.8 Million in Innovative Technologies to Enhance Fossil Energy Power Systems
The U.S. Department of Energy (DOE) has selected 15 projects to receive nearly $8.8 million in federal funding for cost-shared research and development (R&D) projects to develop innovative technologies that enhance fossil energy power systems.
Area of Interest 1: Sensors and Controls Technology Development for Cybersecure Fossil Power Generation
- Cyber Security Risk Reduction Framework for Generation I&C Technology
- Physical Domain Approaches to Reduce Cybersecurity Risks Associated with Control Systems
- Cyber Secure Sensor Network for Fossil Fuel Power Generation Assets Monitoring
- Operational Technology Behavioral Analytics
Our Take: It is great to see DOE focusing attention on and funding projects aimed at protecting the OT/ICS systems that underpin our electric generation and transmission from cyber attacks or making them more resilient. They even call out “difficult challenges including including limited visibility” into industrial control networks. While these are relatively small dollar grants, but are focused on innovation and solving problems, rather than simply studying the problem once again.
Center for Internet Security: CIS Controls V7 Implementation Guide for Industrial Controls Systems Now Available
In an acknowledgement that some operational environments present unique requirements not previously addressed by the CIS Controls™, CIS® (Center for Internet Security, Inc.) now offers the CIS Controls V7 Implementation Guide for Industrial Controls Systems. This new guide addresses how to use the CIS Controls to bolster cybersecurity amidst the unique constraints of Industrial Control System (ICS) environments.
Our Take: CIS does the industry a service by helping asset owners understand how to apply the CIS Controls to industrial control systems. This is worth a read, especially for security practitioners that are new to the ICS/OT space. It does a nice job explaining some things that make securing ICS systems somewhat unique. We believe the NIST Cybersecurity Framework will be more widely adopted, but the CIS adaptation of their controls to ICS is nice work and a helpful addition to the knowledge base.
Fifth Domain: Agencies want new emergency powers after a cyberattack
Key government agencies could soon be able to seek small contracts after a cyberattack or natural disaster, which could allow for a faster and easier response in an emergency.
Three federal organizations, including the Department of Defense, may be able to award contracts of $20,000 in the face of a cyberattack and categorize them as a “micro-purchase,” if a proposed rule is implemented, according to the Federal Register.
The change allows the federal government to more readily award contracts to the commercial marketplace and should speed up the agencies’ approval process, said Alan Chvotkin, executive vice president and counsel at the Professional Services Council, a trade association that advocates for government contractors.
Our Take: This is not much of a financial threshold for cyber-related incident response. At $150/hour for a consulting (this number is likely very low for skilled threat research/incident response personnel) that would be about 133 hours of work in total.
Vulnerabilities that would have been fixed years ago on corporate networks remain unguarded, mainly because organizations fear the high cost of downtime to upgrade cyber security systems and software, Positive Technologies said in its research report, Industrial Companies: Attack Vectors. In the ICS security specialist’s tests, attackers were able to penetrate the network perimeter of 73 percent of industrial organizations. At 82 percent of those markers tested, it was possible to gain a foothold to access the broader industrial network containing ICS equipment.
“Industrial control systems are critical to operations at industrial facilities, but poorly protected in terms of information security,” the study’s authors wrote. “Successful attacks against ICS components can cause more than just financial losses. Unauthorized modification or disruption may lead to blackouts, transportation failures, or even major disasters with loss of life.”
Some of the key take-aways from the report are:
- Most ICS environments are highly vulnerable to cyberattack
- Many industrial networks are not well segmented from business networks which can allow attackers to move into them laterally from information systems
- Security teams generally have very poor visibility into ICS networks
While this research echos what we and others have been saying for some time, we welcome any data which helps increase awareness and sparks action. While more organizations are opening their eyes to the reality of their industrial cybersecurity posture, it’s clear from this data that there is still a long way to go.