In last week’s blog, we discussed why it’s important for critical infrastructure providers to recognize that by solely deploying preventative solutions, they are actually setting themselves up for failure. Cost-effective, scalable, post-intrusion detection solutions will help strengthen overall security strategy through proactive measures.
Truth #4: Most critical infrastructure providers don’t know what digital vulnerabilities they have, where to find them or how to fix them
Each critical infrastructure provider must develop and implement cybersecurity countermeasures tailored to its specific physical and digital infrastructure. This is hugely unfamiliar territory for most providers, who have relied on their equipment vendors to handle both ICS/SCADA and IT security.
Unfortunately, neither traditional critical infrastructure vendors nor IT security vendors are fully equipped to counter the unique hybrid threat of cyber-enabled critical infrastructure attacks: The former aren’t schooled in IT security, while the latter aren’t used to protecting non-IT physical assets. Even worse, sometimes ICS/SCADA vendors don’t reveal vulnerabilities or even purposely install capabilities – such as unremovable backdoors – that attackers could easily co-opt.
Scared they might overlook dangerous threats already on their systems, providers are reaching out to private forensic analysis companies and government authorities for help. A key, trusted government component is the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), part of the Control Systems Security Program (CSSP) at the U.S. Department of Homeland Security (DHS). ICSCERT specializes in forensic incident response and vulnerability assessment throughout the critical infrastructure spectrum, from sectors as a whole to individual owners and operators.
ICS-CERT’s June 2012 Incident Response Summary Report stated that the organization fielded nine incident reports in 2009, 41 in 2010 and 198 in 2011 – a 2,100-percent increase in only two years. Most incidents were not actual attacks, but of the 17 incidents that warranted on-site assessments:
|7 were the result of spear phishing, with at least one incident involving infection from a USB device|
|11 involved sophisticated threat actors seeking sensitive data|
|12 could have been deterred, detected much faster or mitigated if the organizations had implemented IT security best practices|
The report noted that while none of the intrusions targeted control system networks, the flat and interconnected nature of many organization’s networks made them potentially easy pickings for attackers. Another common weakness ICS-CERT discovered was that most providers lacked adequate detection technologies. “Properly developed and implemented detection methods are the best strategy to quickly identify intrusions and implement mitigation and recovery procedures,” the report stated.
Based on the report, it’s important for these providers to understand that the right tools in the right environment will make a huge difference in the long run. Next week, we’ll the tools, skills and mindset needed to effectively deal with cyberattacks and APTs.