Critical Industrial Facilities in the US Still Not Getting Security Right
We are hired on a routine basis to conduct penetration testing into utility systems and to conduct NERC CIP Cyber Vulnerability Assessments of the internal SCADA components as well, so my remarks below eminate from real field work that we have been conducting for over 10 years now.
A solid cyber security program must be balanced between four key themes:
1. Building and maintaining a strong DEFENSIVE capability to block threats at the perimeter
2. Having the DETECTION capabilities to know when something abnormal has occurred
3. Developing your IT security team’s capabilities through training and exercises so they are prepared to RESPOND when needed
4. Leveraging technology to be able to quickly RESTORE systems after an attack or incident
To sum it up to one word each, the four stages of cyber security that we see are:
1. Unfortunately, many of our clients in the utility industry may claim they are NERC CIP compliant, and they may have checked all of the regulatory check boxes, but when the rubber meets the road, they are not truly ready for a real cyber threat when it hits. They do not have the capability to really defend their systems from a targeted spear-phishing attack (because humans will click on attachments and links they shouldn’t despite all of the awareness training you throw at them). They should leverage IPS appliances at the perimeter of the networks that perform deep packet inspection of every packet entering the network. Technology can help offset human weaknesses.
2. They do not have the detection systems in place to know when malware or a rootkit is phoning home to command and control servers and stealing information off of their network. Many are not monitoring their front door. A simple network monitoring solution that monitors, tracks, and alerts on abnormal traffic patterns can detect most APT attacks, but very few are investing in these monitoring systems.
3. While they may have documented procedures for responding to incidents, their staff has not exercised the procedures enough to know instinctively what to do… if they are able to detect they have been compromised. Building out an Incident Response system is very important, and it is too late to do this while you are under attack. The plans and procedures must be built before the attack happens, and the technical staff should be ready to evoke the Incident Response system at any given time, and know what steps to follow to contain the threat and start the recovery process.
4. Lastly, many of the site that we have been to are not ready to restore these systems quickly back to a “normal” state. There have been great advancements in technology made over the past 10 years. The days of restoring from tape systems are long behind us. Many systems can now leverage Virtual Machine (VM) technology, full system backups, over-the-wire backup and restore, and fully redundant, high-availability capabilities so that they can survive with parts of the system taken down, or restore systems back to a clean state within minutes.
Hope these comments / thoughts can help you determine if your organization has those above four areas of cyber security covered!