By: Tony Cole, CTO
Humans are fallible. This is a fact I wish more people would understand, especially as it relates to software development. No human can code a somewhat sophisticated program perfectly while providing the requested capabilities without generally containing a certain number of errors.
By improving both efficiency and efficacy in ICS environments from power generation to transportation systems, petrochemical operations to manufacturing, software simply makes our lives better. Unfortunately, it often contains inherent errors that may create vulnerabilities which can be compromised by an adversary. A recent article in Motherboard from Sean Lyngaas gives some great examples on risk in nuclear powerplants due to supply chain vulnerabilities. Those vulnerabilities are almost always driven from software errors, compromised code, stolen certificates, and sometimes hard-coded passwords that have been built into software running in ICS systems. This presents a real risk to our critical infrastructure from nation-state attackers.
In 2016 FireEye published a report, titled ‘Overload, Critical Lessons from 15 Years of ICS Vulnerabilities,’ which analyzed and highlighted 1,552 publicly available ICS vulnerabilities. One-third of them were zero-days, meaning a vulnerability existed with no patch to fix it. ICS security company Dragos recently released a report on ALLANITE, a threat actor targeting US and UK utilities using watering-hole and phishing attacks, which described the current industrial threat landscape as “very concerning.” Over the last two years, things have not improved. In fact, given current geo-political challenges, it’s likely the targeting of ICS will continue and get much worse than it is today. So, what can be done?
Today, organizations should follow best practices for their industry in procuring, testing, implementing and running ICS systems in critical infrastructure.
- If you’re new to the ICS area, there is a wealth of information available online that can help you navigate the space – simply search for “ICS cybersecurity standards” from NIST, ICS-CERT, ISA, UL, SANS, and others. Find and follow best practices that apply to your industry, and of course, all regulatory statutes.
- Continuously verify that no one is in your environment. Many ICS systems are put in place for many years since the product life-span can sometimes run for decades. Ensure the proper security controls for your environment where possible – and even in trusted environments, trust but verify.
- Implement threat deception inside your environment to identify adversaries that have broken into your systems, malicious insiders, and overly curious employees violating access policies that may cause inadvertent damage. Deception is rapidly emerging in ICS environments. This technology can deliver great value simply by creating decoys of some of your most critical systems and placing enticing lures and breadcrumbs that will lead adversaries already inside the wire into the decoy systems. This is done with little to no impact to your systems. The decoy systems available in ICS continue to expand into many more commonly used protocols and already today supports Modbus, BACnet, CIP, S7comm, IPMI, and many more. These decoy capabilities also flow over into the IoT/IoE area where many applications are also available. What makes this capability so strong for ICS/IoT/IoE is that users can import their own golden system images into the decoys, so you’ve got real systems that will attract even sophisticated attackers. Those systems when accessed, immediately alert you and since the notification is based upon interaction with the attacker, there are no false positives. The same for deception credentials, if someone attempts to use them, you get alerted and there are no false positives.
If you haven’t looked at deception technology, the time to act is now. Recently recommended by Gartner as a top ten strategic tool for 2018, deception technology adoption is rapidly growing in the enterprise (covering not just standard IT) and can give you critical information without adding to analyst alert fatigue. Whether you’re operating a power plant or oil refinery or have responsibility for ICS or IoT, building infrastructure or OT environments, you want to be the first to know who is inside your perimeter, accessing your systems, and how to stop them in their tracks. Threat deception may be new to you, but it’s no longer new to ICS and is now commonly viewed as a critical control within the security stack.