Here are a few stories that turned our heads in Operational Technology (OT)/ Industrial Control Systems (ICS) security over the past few days:
Houston Chronicle: How long can the U.S. keep hackers at bay and the lights on?
Last year, members of DHS' Industrial Control Systems Cyber Emergency Response Team recorded 290 cases of hackers gaining access to systems at everything from power plants to telecommunications systems. Considering companies are not required to report such incidents unless they lose control of critical infrastructure - to date something that has never been publicly reported in the United States - that number is likely far lower than the reality. Still, it represented more than twice as many incidents as were reported in 2011.
"What the electric industry folks tell me is, 'We lay awake at home every night thinking about this,' " said a former top energy official in the Obama administration, who declined to be identified because those conversations were private. "Someone from one of the nation's largest utilities, and I can't say who, told me they had hackers trying to get into their system 3,000 times a day.
Our Take: We have repeatedly gone on record with our warnings that the threat landscape in ICS/OT security is heating up. While there are often conflations between “probing” and “attacks” which may lead to overstatement of the problem (we don’t believe 3,000 attacks a day are occurring), the fact of the matter is that there is ample reason for concern. With red-lines crossed twice now in Ukraine, with disclosure of a world-wide campaign targeting Energy and Nuclear, and with hundreds of millions in losses now being blamed on the spill-over of WannaCry and Petya/Not-Petya – the take away should be clear. The threat is building and we must take action to counter it.
Dale Peterson had a twitter poll on DigitalBond.com asking what people think about the availability of security in sensors, actuators, instruments (Purdue Model Level 0 devices) considering process sensor vendors do not include authentication or security in their sensors. Of the 77 replies to Dale’s survey, 83% said no Encryption or Authentication was available, 5% said Authentication was available, 3% said Authentication and Encryption was available, and 9% said I don’t know.
If 83% recognize that process sensors have no Authentication or Encryption (security), why isn’t there more being done about security at that level as it affects all of ICS cyber security?
When I talked to Dale about the results, he said the survey results validate that people who attend S4 recognized there was no security at Level 0. Serial-to-Ethernet converters have been shown to be cyber vulnerable enabling a path into the sensors. In fact, the cyber vulnerability of the serial-to-Ethernet converters was the vehicle for inserting BlackEnergy into the US and Ukrainian grids.
Our Take: We’ll point you to our thoughts on the “Lost Decade of Information Security in Industrial Control Systems networks” – basic takeaway, we have major hills to climb as a community.
International Business Times: Cyber 9/11: White House Advisors Warn Of Critical Infrastructure Vulnerabilities
Also on the list of suggestions from NIAC was improved information sharing that would allow for quick declassification and improved threat intelligence sharing. The report also called for improved scanning tools and assessment practices and an exchange program between public and private organizations to strengthen skill sets of IT professionals.
Our Take: One of the most critically important (and also baseline) requirements of better industrial control systems security is the deployment of network monitoring and threat detection solutions. That's not just a self-serving statement given what we do in Claroty Platform. How can we even begin to claim these networks are secure if we aren't monitoring them deeply and in real-time? The sad reality is that so many of our most critical ICS networks lack this monitoring.
With respect to other thoughts outlined, we believe in the power of intelligence/information sharing and are supportive of this recommendation. We are equally supportive of more rapid declassification of intelligence related to on-going campaigns.
All of this said, the warnings laid out in this article - they're the same warnings we've heard for 20 years. KUDOS to the NIAC for pointing this out...
"Cyber 9/11: White House Advisors Warn Of Critical Infrastructure Vulnerabilities The challenges the NIAC identified are well-known and reflected in study after study,” the NIAC wrote. “There is a narrow and fleeting window of opportunity before a watershed, 9/11-level cyber-attack to organize effectively and take bold action. We call on the Administration to use this moment of foresight to take bold, decisive actions.”
The time for discussion is long over, it is time to ACT.