"The Defense Science Board’s latest study on the state of cyber defense in the U.S. reaches some worrying conclusions, both for civil infrastructure and for military capability...To make matters worse, the traditional weapons systems the military relies on to deter countries from actually launching those attacks are themselves vulnerable to cyber attack, undermining a deterrence policy one Defense official articulated six years ago: “If you shut down our power grid, maybe we’ll put a missile down one of your smokestacks.”
Our Take: Alarm bells have been sounding for years now. We've failed to adequately respond to them and we will eventually pay the price if we cannot change that course and get ourselves on an innovation and evolution timeline that exceeds the rate of the growing threat. Notably, the panel points out that the once held belief of deterrence through the threat of military action, may not be viable if you assume that any attack against critical infrastructure would also target/impact military systems. We'd go one further and suggest that the lack of any response in the face of the Ukraine attacks in 2015 and 2016 signal an unwillingness/lack of resolve in using military options in response to cyber attacks on critical infrastructure. In the case of critical infrastructure security - the best defense is a GOOD DEFENSE - not the THREAT OF RESPONSE.
Video: Maj. Gen. Brett T. Williams (Ret.) speaks at the Bloomberg Future of Cyber Security: Spotlight on Oil and Gas event in Houston about how threats to America’s critical infrastructure may impact the oil and gas industry. Boards need to take this on as a strategic business issue. It’s a risk management issue. People who manage risk don’t technically understand OT. Need to bridge that gap.
Our Take: We are in pretty solid agreement here. We're (thankfully) witnessing a significant change in the thinking of Oil and Gas companies around OT security. We're working with a number of firms right now that have board level visibility into the issue, are deploying innovative new solutions, thinking about the problem in terms of the full supply chain, etc. Refreshing - but more work definitely needs to be done. See the video below but check out what we're doing for one offshore oil rig operator here.
"Ransomware incidents are occurring in industrial control systems (ICS). We had two recent incidents from Brazil discussed at S4x17, and we have detailed reports from our contacts of many more. The details indicate it is standard, not tailored to ICS, ransomware for computers that has found its way into an ICS. Unfortunately, ICS are likely to see smarter ransomware and targeted attacks to get it onto ICS PLC’s, RTU’s and controllers"
Our Take: Is the word "THIS!" adequate enough? No - ok - this is absolutely spot on. We've been saying for some time now that the threat landscape in ICS/OT is evolving from the "cyber pearl harbor" scenario everyone has always talked about (nation on nation) to one in which criminals will be engaged. We've also been pointing out this fact from the article:
"The vast majority of the deployed PLC’s are insecure by design. If an attacker can access the PLC he can change the logic or program and even upload his own firmware. No hack is necessary because these are legitimate and functions that lack even the requirement for a username/password."
Dale gets this right (as he often does) - and rightfully points out that many of the world's largest PLC manufacturers are making good strides in better security by design - but there is a tremendous amount of ground to cover...we need to get to covering it!
"With the goal of protecting industrial control systems (ICS) and supervisory control and data acquisition (SCADA) systems from cyber threats, Bechtel says the lab will leverage its experience designing and implementing National Institute of Standards and Technology Risk Management Framework (NIST-RMF) solutions for its government customers."