OT/ICS News Roundup Week of 3.27.17

Here are a few stories that turned our heads over the past few days: 

Industrial Control Systems - The Holy Grail of Cyberwar

This is a very well put together piece by Joe Weiss - definitely have a read...

"Regulators and utility industry leaders need to wake up to the risks that could let malicious hackers cause widespread physical damage to the grid and other critical infrastructure...Unfortunately, many ICS devices, including new ones, are still insecure by design and many legacy ICSs cannot implement IT security technologies. Yet the devices won’t be replaced because they still work. The culture gap that exists between the IT organization and the control system organizations exacerbate the physical threats in attempting to secure ICSs..”

Our Take: We've had a few rather alarming conversations over the past couple of weeks with security leaders at some very large companies. Some - but thankfully not all - of these otherwise incredibly brilliant people have questioned whether or not there is a 'burning need' to invest more into OT/ICS security. The logic behind the argument was "we aren't seeing anywhere near the level of attacks against OT as we are IT" - hard to argue against this point from a purely quantitative perspective. However, the argument is easy when considering the level of visibility into these networks is so poor that even if attacks are occurring daily, they're likely not detected. Also, considering the severity of impact even a single successful disruptive attack would produce, the risk is so pronounced that there is a definite need for immediate action. The fact is that the state of OT/ICS security isn't a year or two behind IT - it is decades. Failure to invest into and improve the security posture of the OT/ICS network at this point in time - when the writing is on the wall that threats are growing - is playing a very dangerous game of Russian roulette (no pun intended)


Tech Professionals Train Locally to Defend Nation's Critical Infrastructure 

"The Industrial Control Systems Cybersecurity training course is offered at the Idaho National Laboratory’s Control Systems Analysis Center, and is hosted by the DHS Industrial Control Systems Cyber Emergency Response Team."

Our Take: Kudos to Idaho National and ICS-CERT - they've trained over 4,000 people since this program began. If you haven't taken part - take a serious look at involving yourself/your team in the future.


TRIPWIRE: 96 Percent of IT Security Professionals Expect in Increase in Cyber Attacks Against the Industrial Internet of Things

"Ninety-six percent of those surveyed expect to see an increase in security attacks on IIoT in 2017.

Fifty-one percent said they do not feel prepared for security attacks that abuse, exploit or maliciously leverage insecure IIoT devices.

Sixty-four percent said they already recognize the need to protect against IIoT attacks, as they continue to gain popularity among hackers"

Our Take: Do you ever look at the stats in a survey and immediately see a problem? 96% of respondents expect an increase...51% don't feel prepared...64% already recognize a need to better protect. If nearly everyone can see the writing on the wall, why can't everyone see the need to get moving NOW to get ahead of the threat? This is an argument we've been and will continue to make. Unlike the world of IT security, where we can get it wrong without an immediate and reverberating impact, failures in OT/ICS security will be immediately and widely felt. Safety of plant floor personnel and the general populace, the health and ability of our economies to survive - all at risk if we get this wrong while the adversary gets it right. Happy to see people waking to the reality of what we face - displeased that there isn't more of a groundswell to do something about it.