ICS Cyber Security is still not understood by the IT community - and it is hurting critical infrastructure
May 8, 2013 Cheri McGuire, Symantec's Vice President, Global Government Affairs & Cybersecurity Policy testified to the Senate Judiciary Subcommittee on Crime and Terrorism hearing. She stated: "In my testimony today, I will provide the Subcommittee with our latest analysis of the threat landscape as detailed in the just-released Symantec Internet Security Threat Report (ISTR), Volume 18. Last year, we saw a significant increase in targeted attacks - up 42 percent from 2011, and it is almost certain that this trend will continue in the coming years. Symantec has a long and successful history of participation and leadership in various industry organizations, as well as public-private partnerships in the US and globally. Among these are the National Cyber-Forensics & Training Alliance (NCFTA), InfraGard, and INTERPOL. Effective sharing of actionable information among the public and private sectors on cyber threats, vulnerabilities, and incidents is an essential component of improving cybersecurity and combatting cybercrime. Internationally, Symantec partners with various non-profit organizations, including the Canada-based Society for the Policing of Cyberspace (POLCYB), to provide training workshops to law enforcement officials and policymakers around the globe."
However, Symantec's 2013 Internet Security Threat Report never mentioned ICS. SCADA was mentioned only once where it stated: "In 2012, there were 85 public SCADA (Supervisory Control and Data Acquisition) vulnerabilities, a massive decrease over the 129 vulnerabilities in 2011." I find this statement incongruous and sending the worst possible message - the threats to ICS are decreasing when in fact the opposite is true. I have attended and/or participated in POLCYB, Infragard, and NCFTA meetings. These organizations were, and are not, knowledgeably aware of ICS cyber security issues. The same lack of ICS understanding was in the Verizon Data Breach Report and the Ponemon Institute Data Breach Report. Unfortunately, given this lack of ICS cyber security understanding, one can only hope that ICS cyber security is not part of Symantec's training even though it obviously should be.
With so much money and spotlight on critical infrastructure protection and no barrier to entry, is it a surprise there is so much participation from the IT security community that is relatively clueless about ICS issues? This not only includes the private sector, it also includes government organizations that should know better. This lack of understanding is evident in the utility control system cyber security test bed. Most of the security companies that have responded to provide ICS cyber security solutions have simply rebranded their IT solutions with the term "SCADA" in front with minimal understanding of the environment. This lack of understanding is NOT painless. There have been too many ICSs shutdown or disabled by well-intentioned IT types. As a plant manager recently stated: ""With well intentioned people monkeying around in the automation system, who needs terrorists or disgruntled employees?"
What does it take for ICS cyber security to become mainstream - the lights going out, major pipeline ruptures, water systems compromised, hydro facilities destroyed, trains crashing, planes crashing, etc? Oh wait, they already have.