Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

10/9/2018
04:45 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Constructing the Future of ICS Cybersecurity

As industrial control systems are connected to the cloud and the IoT, experts discuss security challenges.

(ISC)² SECURITY CONGRESS – New Orleans – Technology is accelerating and industry is catching up. As industrial control systems (ICS) are connected to the Internet of Things and send data to the cloud, experts have begun to anticipate the security implications.

The IoT is growing and now it's moving into the industrial space, said Graham Speake, senior ICS manager at Accenture, during a presentation at (ISC)² Security Congress held this week in New Orleans. As it does, security pros have to think about securing the data their systems handle.

"Industry is always a bit slow," he explained, pointing to the oil and gas industry as an example. If you told those firms six to seven years ago that they would be sending data to the cloud, they would have been hesitant to believe you, said Speake. Now, "industry is catching up."

The number of devices is increasing 10% each year, he continued, and the world is expected to have 20+ billion devices by 2020. While many of these connected devices will be for personal use, a growing amount will be seen in industry, where machines are being connected to the cloud and more employees are using wearables, both for productivity and safety.

As an example, Speake described how a device worn by employees could track someone around a plant so people in the control rooms could monitor their location. If someone hasn't moved in a while, it could indicate they're having a problem. If there's an evacuation, such a system would help determine whether anyone is left in a dangerous situation.

"If you think about a large refinery, a large plant, it's even harder to work out who is there, who is left, and where they are," he said. Many industries – Speake points to the chemical sector as an example – are also increasingly turning to robotics as a means of improving efficiency.

However, the connectedness of ICS prompts important questions about security. In industry, for example, it's not unusual for components to have a lifetime of five to 30 years – far longer than average enterprise machines. Software updates are slow to deploy, and devices connected to the industrial IoT (IIoT) are connected to the same networks, leaving them exposed.

There is also the issue of few ICS security experts, explained Ben Miller, director of Dragos' threat operations center, in his presentation, "How to Respond to Industrial Intrusions."

"Not a lot of people are focused on ICS security," he said. "It's usually a process engineer tasked with security, or a security person assigned responsibility for control systems networks." Neither can be fully effective, he noted, as "it takes years to build up the [ICS security] skillset."

It's one of three key challenges industrial organizations face, Miller added. Another is the lack of visibility into ICS environments, and lack of understanding that you can't put IT tools in industrial environments and expect similar outcomes. The biggest hurdle, however, is threats.

We don't yet have a clear idea of the threat landscape in industrial environments, Miller said. Most of our knowledge is anecdotal; there is no large dataset for ICS threats. The lack of data makes security a challenge: you can't allocate resources if you don't know what's targeted.

Organizations have to reconcile their desire to operate in the cloud with their older systems, Speake emphasized, pointing to the history of insecurity within the industrial space.

Consider antivirus: "it works, but it's not going to stop everything," he noted. Same goes for firewalls. Companies often have a mentality "if we connect things to firewalls, we're secure," Speake said, but there are many problems with firewalls – "namely, whoever configures them."

Passwords are another example. In IT, admins advocate setting complex passwords and changing them often. Employees handling ICS often don't use passwords because they know who's on the floor handling machines and assume their systems are secure from outsiders.

There is also lack of product testing or security training among vendors, which prioritize speed.

"Vendors in the space, we were more interested in getting products out into the marketplace than trying to build security and build resiliency," he added. "The problem with vendors is, they don't train people in security." And while some are starting to, "it's a few years late," he noted.

Speake advised building security in from the start so systems are protected by default. This means testing devices and evaluating not only how robust communications are, but how secure they are. If you have to demand a certain level of security and threaten to switch vendors if it's not provided, he encouraged doing do.

Procurement documents should say "I want this level of security," he explained. "If you can't meet it, then come back to me when you can."

Related Content:

 

 

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
plee560
100%
0%
plee560,
User Rank: Apprentice
10/12/2018 | 5:45:56 PM
The FAIR Institute conducted a case study on how to quantify ICS-related cyber risk

Demystifying ICS Cyber Risk with FAIR


https://www.fairinstitute.org/blog/case-study-demystifying-ics-cyber-risk-with-fair
COVID-19: Latest Security News & Commentary
Dark Reading Staff 4/7/2020
The Coronavirus & Cybersecurity: 3 Areas of Exploitation
Robert R. Ackerman Jr., Founder & Managing Director, Allegis Capital,  4/7/2020
'Unkillable' Android Malware App Continues to Infect Devices Worldwide
Jai Vijayan, Contributing Writer,  4/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-1633
PUBLISHED: 2020-04-09
Due to a new NDP proxy feature for EVPN leaf nodes introduced in Junos OS 17.4, crafted NDPv6 packets could transit a Junos device configured as a Broadband Network Gateway (BNG) and reach the EVPN leaf node, causing a stale MAC address entry. This could cause legitimate traffic to be discarded, le...
CVE-2020-8834
PUBLISHED: 2020-04-09
KVM in the Linux kernel on Power8 processors has a conflicting use of HSTATE_HOST_R1 to store r1 state in kvmppc_hv_entry plus in kvmppc__tm, leading to a stack corruption. Because of this, an attacker with the ability run code in kernel space of a guest VM can cause the host kernel to...
CVE-2020-11668
PUBLISHED: 2020-04-09
In the Linux kernel before 5.6.1, drivers/media/usb/gspca/xirlink_cit.c (aka the Xirlink camera USB driver) mishandles invalid descriptors, aka CID-a246b4d54770.
CVE-2020-8961
PUBLISHED: 2020-04-09
An issue was discovered in Avira Free-Antivirus before 15.0.2004.1825. The Self-Protection feature does not prohibit a write operation from an external process. Thus, code injection can be used to turn off this feature. After that, one can construct an event that will modify a file at a specific loc...
CVE-2020-7922
PUBLISHED: 2020-04-09
X.509 certificates generated by the MongoDB Enterprise Kubernetes Operator may allow an attacker with access to the Kubernetes cluster improper access to MongoDB instances. Customers who do not use X.509 authentication, and those who do not use the Operator to generate their X.509 certificates are u...