A recent survey by the SANS Institute suggests that organizations with operational control systems such as ICS, SCADA, process control, distributed control or facility automation still view people as both the biggest potential weakness and, in certain areas, the greatest asset when it comes to stopping cyber-attacks.
In June 2019 the SANS Institute published its report, the 2019 SANS OT/ICS Cybersecurity Survey, which explores the challenges involved with the design, operation and risk management of an industrial control system (ICS), its cyber assets and communication protocols, and supporting operations.
The report is based on a survey of 338 people including security and other professionals working or active in enterprise IT or operational control systems such as supervisory control and data acquisition (SCADA), process control, distributed control or building/facility automation and control.
Weakest links
The survey uncovered several interesting data points. For example, 62% of respondents stated that “people” are the key risk for compromise of their Operational Technology (OT) and ICS environment. This ranges from intentional malicious actors to the unintentional non-malicious actors, such as a careless employee who misconfigures a device.
Yet, the survey also highlighted that organizations are increasingly relying on in-house trained staff as the source of security intelligence. In 2017, 37.4% stated that “We rely on our trained staff to know when to search out event.” By 2019, this had risen dramatically to 60.4%.
Another data point uncovered by the SANS survey was that although 75% of respondents have inventoried their workstations and servers, which are considered the higher risk; this number drops to less than half when directly related to OT such as control system devices and software applications. This is more significant when considering that the survey found that 78% of the OT or control systems have an external connection, and 34% of those systems are connecting to the internet, either directly or through their DMZ.
Unbalanced security posture
The full report makes interesting reading and paints a picture of an ICS/SCADA dependent industry that is still struggling with the three key issues. The first is the ability to attract, train and retain skilled people. The second is an industry that is rapidly embracing new digital technologies that are blurring the line between OT and enterprise networks.
The last major issue is a form of disconnect between threat and risk. This is exemplified by the fact that even though embedded controllers and components such as PLCs and IEDs have potentially the biggest impact on the business if compromised by an attacker; only 19% of organizations collect security data from these devices.
One interpretation is that organizations with ICS and SCADA infrastructure see a wider range of potential attackers that is making the process of defining risk and designing their security model much more complicated than traditional enterprise IT organizations. The questions being asked are: Could the company be a target for a nation-state actor? Could the threat be most likely from a malicious insider, or perhaps a competitor?
Through speaking with organizations within manufacturing, energy and petrochemical, there is still a widespread assumption that secure perimeter and air gapped networks are enough to protect critical systems.
The SANS report suggests that this misconception is changing and notes that from 2017 to 2019, the use of anomaly detection tools to detect trends has grown from 35% to 44% and rising. However, many organizations still suffer from an “unbalanced” security posture where companies have deployed all kinds of advanced tools, but the people and the processes are missing in order to use the technology in the correct way.
Decisions based on risk
All these data points suggest that organizations in the industrial sector, and especially organizations that may have systems that are over a decade old; must start to shift towards business-driven risk-oriented systems. This approach will be at the core of all OT security strategy and is a shift away from current Industrial cybersecurity thinking that is focused on visibility, hygiene and threat monitoring.
Although vital, a reactive response within impact assessment can generate a firehose of alerts that can overload cyber security analysts. This is particularly true of low-maintained SCADA networks.
Instead, organizations need to perform risk assessment BEFORE deploying continuous monitoring. This risk assessment should be ICS specific and must look beyond device vulnerabilities to take into account business processes and their business impact including monetary cost, service interruption, safety, environmental impact or violation of regulations.
Once base line risk has been defined; it must be utilized to optimally handle the monitoring of systems events and recommendations. This capability must consider the different threats, business processes and of course, the probability and potential impact of every cyber event with reference to attack flows in the network to focus on the key devices to protect.
Without a risk orientated approach, there is a danger that Infosec teams will waste valuable and finite resources fixing potential problems that have little material impact on critical systems while more dangerous vulnerabilities remain.
Risk assessment must be continual to reflect the updates to devices, vulnerabilities and new threat intelligence. Considering that ICS CERT will typically add between 100-150 new entries each quarter that are relevant to ICS/SCADA environments, the ability to categorize systemic risks effectively and continually should be the most vital consideration for every organization in the future.