SANS Industrial Control Systems Security Blog

ICS defense goals for the new threat matrix

While it is true that we can't stop all attacks from happening, we need to be able to anticipate them, make them more difficult to execute, identify them as early as possible, and have a well exercised plan and capability to deal with and minimize them. The SANS ICS team has developed and hosts a series of ICS security courses designed to equip engineers and cyber defenders with the required knowledge to accomplish these goals.

If we were honest we would recognize our tendency to suffer from 'predictable surprise' far too often. Collectively we are observing an increase in cited ICS incidents with the recent addition of evidence pointing to multiple targeted attacks that include ICS-capable exploits. The U.S. Department of Homeland Security's ICS-CERT has been warning of increased risk of control system focused attacks (they cite an increase in Internet accessible configurations, the availability of control system specific exploitation tools, and increased interest by threat actors).

The ICS exploit capability associated with the Black Energy 2 (BE2) campaign should not have been the surprise the media made it out to be. Warnings went unheeded, as relevant vulnerabilities had been publicly disclosed several years before followed by exploit code that was made available. The important take away is that we should have been able to anticipate the advent of these specific attacks.

We have moved from a world where a static defense, like the reliance on simple segmentation, was effective to a world that demands we go farther. The discovery of an OPC exploit module to the Havex Trojan and the observed delivery tactic of using watering-holes involving ICS supply chain related websites exemplifies the newest chapter in the book of ICS cyber threats. This form of directed attack requires ICS defenders to deploy improved and more active defenses while possessing the necessary knowledge and skills to respond effectively.

For more information on SANS ICS trainings click here.