ICS Cyber Security is still not understood by the IT community - and it is hurting critical infrastructure

May 8, 2013 Cheri McGuire, Symantec's Vice President, Global Government Affairs & Cybersecurity Policy testified to the Senate Judiciary Subcommittee on Crime and Terrorism hearing. She stated: "In my testimony today, I will provide the Subcommittee with our latest analysis of the threat landscape as detailed in the just-released Symantec Internet Security Threat Report (ISTR), Volume 18. Last year, we saw a significant increase in targeted attacks - up 42 percent from 2011, and it is almost certain that this trend will continue in the coming years. Symantec has a long and successful history of participation and leadership in various industry organizations, as well as public-private partnerships in the US and globally. Among these are the National Cyber-Forensics & Training Alliance (NCFTA), InfraGard, and INTERPOL. Effective sharing of actionable information among the public and private sectors on cyber threats, vulnerabilities, and incidents is an essential component of improving cybersecurity and combatting cybercrime. Internationally, Symantec partners with various non-profit organizations, including the Canada-based Society for the Policing of Cyberspace (POLCYB), to provide training workshops to law enforcement officials and policymakers around the globe."

However, Symantec's 2013 Internet Security Threat Report never mentioned ICS. SCADA was mentioned only once where it stated: "In 2012, there were 85 public SCADA (Supervisory Control and Data Acquisition) vulnerabilities, a massive decrease over the 129 vulnerabilities in 2011." I find this statement incongruous and sending the worst possible message - the threats to ICS are decreasing when in fact the opposite is true. I have attended and/or participated in POLCYB, Infragard, and NCFTA meetings. These organizations were, and are not, knowledgeably aware of ICS cyber security issues. The same lack of ICS understanding was in the Verizon Data Breach Report and the Ponemon Institute Data Breach Report. Unfortunately, given this lack of ICS cyber security understanding, one can only hope that ICS cyber security is not part of Symantec's training even though it obviously should be.

With so much money and spotlight on critical infrastructure protection and no barrier to entry, is it a surprise there is so much participation from the IT security community that is relatively clueless about ICS issues? This not only includes the private sector, it also includes government organizations that should know better. This lack of understanding is evident in the utility control system cyber security test bed. Most of the security companies that have responded to provide ICS cyber security solutions have simply rebranded their IT solutions with the term "SCADA" in front with minimal understanding of the environment. This lack of understanding is NOT painless. There have been too many ICSs shutdown or disabled by well-intentioned IT types. As a plant manager recently stated: ""With well intentioned people monkeying around in the automation system, who needs terrorists or disgruntled employees?"

What does it take for ICS cyber security to become mainstream - the lights going out, major pipeline ruptures, water systems compromised, hydro facilities destroyed, trains crashing, planes crashing, etc? Oh wait, they already have.

Joe Weiss

What are your comments?

You cannot post comments until you have logged in. Login Here.

Comments

  • @Joe - Indeed a quite ironic position for Symantec given their researchers were knee deep with Stuxnet. 

    Not too long ago ICS were just too complex or expensive to have test beds.  Many apprentice engineers and technicians had no choice but to 'practice' on production systems - the proverbial 'school of hard knocks'.

    Control systems have become easier and more affordable (in many respects because of COTS technology). The test bed concept is awesome.  Early work with the National SCADA Test Bed helped launch many initiatives including ours.

    Integrating the test bed concept with real world practices at a utility seems like a good path forward.  While disappointing to hear of failures lets hope potential innovators continue to step forward.

    Industry probably needs a few more test beds. ICS-ISAC is starting up the ICS Security Lab but a few more real world venues might be in order.

    If you really want folks involved in ICS Security they need safe place to learn.

     

    Reply

RSS feed for comments on this page | RSS feed for all comments