Back for the third year in its current form, the Industrial Control Systems (ICS) Cyber Security Conference Singapore (April 16-18), organized by SecurityWeek, saw increased delegate numbers (250) and several new sponsoring companies, which augers well for continued and much needed discussion and showcasing of the industrial variant of cybersecurity – the issues, the challenges, the threat landscape, the technologies, the product suppliers, etc.
While cybersecurity is a burgeoning concern here in this highly connected city-state, it’s still very much biased towards commercial and government entities rather than industrial and infrastructure in terms of attention and action. Perhaps not surprising given that high-profile recent cyber-attacks, most notably the June 2018 theft of 1.5 million patient healthcare records, even including that belonging to Prime Minister Lee Hsien Loong, have all been directed at IT rather OT environments. This is also reflected in the events landscape, with most conferences dedicated to IT cybersecurity and targeting IT rather than OT folk.
So the ICS Cyber Security Conference Singapore is a more than welcome item on the local events calendar for those of us with industrial interest. And with more than 30 presentations over the two main conference days, a wide terrain of industrial cybersecurity was covered, from business and strategy issues right down to discussion of specific attacks and the intricacies of technical solutions. ARC’s presentation, “Threat Detection & Response: What’s the Right Solution?”, provided an analysis of the Industrial Threat Detection & Response market and advice on how to differentiate between offerings from suppliers. While this market is in the early stage of development, increasing cyber-attack sophistication and successful intrusions are driving its fast growth.
Outside in the exhibition area, visitors could get a closer – and for most delegates, first-time − look at product and service offerings from companies including Claroty, Nozomi Networks, Forescout, Fortinet, SANS Institute, Applied Risk, Bayshore Networks, and PAS.
In his presentation, Vijay Vaidyanathan, ICS security consultant, Claroty, which offers threat detection solutions for ICS networks, made the point that there is to date far more security technology in place for IT than there is for OT, and thus the exposure to threats is much greater. Given this (what Claroty calls) IT/OT asymmetry, some recommendations from Mr Vaidyanathan on how to cost-effectively ramp up OT cybersecurity: invest in best practices that leverage existing infrastructure – for example, don’t create a separate OT SOC if you already have an IT SOC; getting visibility into your OT networks to detect abnormal behavior is critical and will give you the highest ROI; and once you have that visibility, ensure you also have alert differentiation so that you can prioritize remedial actions based on the risk to operations.
From SANS Institute, the cybersecurity education and training provider, Doug Wylie, director, Industry Practice, highlighted the four types of threats to industrial control systems: ICS Opportunistic (e.g. Petya); ICS Themed (e.g. Dragonfly 2.0); ICS Tailored Access (e.g. BlackEnergy2); and ICS Tailored Access (e.g. Stuxnet, Triton). In terms of targets, these threats progressively move from broad to specific. And in terms of impact, they become increasingly destructive rather than just disruptive.
The increasingly target-rich OT environment calls for a proactive rather a reactive ICS cybersecurity culture, said Mr Wylie, but according to a recent SANS survey which revealed only 50 percent of respondents had performed a security assessment of their control systems and networks in the last six months, that proactive approach is still quite a way off in becoming standard practice. The well-known lack of cybersecurity expertise is a factor here and SANS education and training roadmaps tailored for specific industries can help companies build a cyber skilled workforce with defined levels for the necessary job roles.
Doug Wylie, SANS: The target-rich OT environment calls for a proactive rather a reactive cybersecurity culture.
Anatomy of an Attack
According to Anand Makhija, technical director APAC, PAS, which offers ICS cybersecurity solutions as part of its industrial automation product portfolio, compromising an ICS cyber asset is not difficult for someone with knowledge of industrial control systems. And users are vulnerable not only because of the nature of plant floor’s heterogeneous, vendor proprietary systems, complex architectures, and often hidden endpoints such as I/O cards, but also because many companies adopt an IT centric approach in their cybersecurity investments i.e. Levels 2 and 3 get secured by not Level 0 and 1.
Describing the anatomy of an attack, Mr Makhija gave the example of malicious external actor exploiting an ICS-CERT vulnerability (ICSA-15-309-02) in the web server interface of a Honeywell Midas gas detector to change the configuration of a selected gas detectors in a plant such that they transmit false readings, which results in the safety system shutting the process down. Not only does the incident result in significant lost production revenue, many hours are wasted trying to locate a gas leak that does not actually exist. Actions taken to prevent such an attack should include the following: reduce the attack surface by proactively identifying and remediating Level 0 and 1 vulnerabilities; get baseline configurations in order to identify deviations for forensic investigations; and ensure forensic configuration change analysis capability in place.
The goal of his “Lessons for Successful Cybersecurity” presentation, said Malcom Baille of Nozomi Networks, was to help ensure that organizations are ready for implementation of an advanced network security monitoring solution, can successfully deploy the solution, and then are able to properly utilize the visibility and threat detection provided to secure the environment. Common issues he has observed during site planning and deployment of ICS network security monitoring solutions can be both technical and organizational in nature.
Malcom Baille, Nozomi Networks: A common issue observed in cybersecurity deployments is companies not planning in advance as to who will be monitoring the security alerts.
For example, under-sizing monitoring hardware, often because of incorrect traffic throughput estimates, and not specifying ruggedized equipment for the operating environment. And on the organizational front, not planning in advance as to who will be monitoring the security alerts, not making the various cybersecurity teams aware of new processes, and inadequate training of all the stakeholders will be using the new solution.