Industrial control system (ICS) cyber incidents are not being identified or reported – despite survey results to the contrary

Tripwire performed a critical infrastructure survey asking how long it would take to detect a breach. According to the Tripwire survey, 86% of energy security professionals believe they can detect a breach in less than a week and 61% believe they can detect a critical system breach in less than 24 hours. Thankfully, Tripwire questioned the results: “The problem with this high level of confidence is that other reports have indicated something quite different.”  

The 2015 Verizon Data Breach Report (http://www.verizonenterprise.com/DBIR/2015/) reported that two-thirds of targeted attacks against IT systems generally took months to detect a breach. A recent survey by the SANS Institute (https://www.sans.org/reading-room/whitepapers/analyst/state-security-control-systems-today-36042) showed that 32% of respondents revealed that their ICS assets or networks had been infiltrated or infected at some point.  Additionally, 44% of those surveyed admitted that they were unable to identify the source of the infiltration and 15% said they need more than a month to detect a breach. IT security technologies are arguably years ahead of ICS cyber security technologies. What does that say about the ability of ICS cyber technologies to identify cyber incidents when IT systems have been breached for months to years before being identified? Recall that Stuxnet was “in the wild” for years before being identified.

ICS cyber incidents affect system reliability, availability, and potentially even safety. The significant ICS cyber incidents are loss of view, loss of control, and/or loss of function. Consequently, they are not just data breaches but can have physical consequences. Hackers intent on doing real damage would most likely want to attack ICSs. There have already been more than 500 actual ICS cyber incidents of which more than 250 were in the electric and energy industries. ICS cyber impacts have ranged from trivial to significant environmental discharges, to significant equipment damages to large system-wide electric outages to deaths. Yet, very few of these incidents were identified as cyber. Moreover, ICS cyber incidents continue to occur.

There are many systems that monitor IT networks. However, there are very few organizations monitoring their ICS devices or ICS networks for cyber security as those types of technologies are not nearly as developed as those for IT networks. Consequently, how would you know if the ICS devices or networks have been compromised? This need to have the ICS personnel identify ICS cyber incidents led to my International Atomic Energy Agency (IAEA) project on scenario-based training (see June 5, 2015 www.controlglobal.com/unfettered blog).

The inability to identify or report ICS cyber incidents can have significant implications.

- The existing cyber monitoring technologies do not appear capable of identifying many ICS cyber incidents. Consequently, ICS cyber incidents can be impacting the electric or energy industries without any identification they were cyber-related. What technologies and training should be developed or employed?

- There are still many "disincentives" for reporting events as being cyber-related and not just "glitches". What can be done to reduce the burdensome internal-to-the organization (e.g., additional paperwork and reporting, etc) and external-to-the organization impacts (e.g., regulators, insurance, Wall Street, etc) of reporting incidents as cyber-related?

- The IAEA project explicitly identified ICS cyber incidents that were not network-related. Consequently, the incidents required Operations to identify the problem and then contact IT to address the security implications. However, currently there is often little, if any, cross-talk between the Operations and IT organizations particularly after unexpected upset conditions. What will it take to overcome the cultural divide between IT and Operations?

- Many of the ICS cyber incidents in the electric industry, including some that have directly contributed to large system-wide outages, have been in systems out of scope for NERC CIP compliance. Consequently, the security/compliance organizations generally have not addressed these systems for potential cyber consideration while the ICS organizations generally have not been trained to address the potential cyber aspects. Are the utilities willing to address cyber compromises in systems out of NERC CIP scope?

- For compliance, the NERC CIPs require the ability to identify cyber incidents. What training should NERC CIP auditors be given to understand the limitations in identifying ICS cyber incidents in order to judge compliance?

The understanding of actual ICS cyber incidents is critical to developing the technologies and training to identify and address ICS cyber incidents.

Joe Weiss