Observations from Mocana Webinar – some very surprising survey results
Wednesday, January 31st, 2018, I participated with Mocana on a webinar on the Hatman malware (Trisis – Triconex safety system) attack. The webinar can be found at https://www.brighttalk.com/channel/9609/mocana-corporation.
There were 119 attendees out of 171 that registered for the live webinar, a representative sample number. We didn’t ask the split between IT and ICS personnel in attendance so the conclusions from the in-presentation surveys may not be as clear as we would like. The survey questions were in order of being asked.
Q: What is your biggest concern about the impact of ICS cyber attacks?
Production Downtime 51%
Environmental Impact 6%
Need for additional manpower 3%
Personnel safety 31%
Impact to Brand 6%
Observation: This was a webinar on the Triconex hack. Consequently, the sensitivity to reliability and safety was refreshing.
Q: How effective is existing technology at preventing ICS cyber attacks?
Very effective 3%
Moderately effective 53%
Not effective 28%
Entirely ineffective 3%
Observation: This survey question was provided after discussions about the Stuxnet and Triconex hacks. In both cases, the security systems did not identify the hacks. It should also be mentioned that many major IT hacks were not found expeditiously either. The inability to expeditiously identify ICS cyber events can explain the apparent lack of confidence in ICS cyber attack prevention.
Q: How can you improve your defenses against ICS cyber attacks?
Expand monitoring and threat detection 25%
Limit impact of human error 0%
Deploy appropriate firewalls and network filtering 0%
Harden ICS endpoint devices and gateways 41%
Improve ICS cybersecurity process and procedures 32%
Observation: The response to these questions are the most interesting. If this question would have been asked at the beginning of the webinar, my feeling is the responses on firewalls and endpoint devices would have been reversed. However, this survey question was given after explaining that:
- many ICS cyber attacks are tied to the Windows HMI;
- the serial-to-Ethernet convertors (gateways) are cyber vulnerable, have been compromised, and are an input into the Windows HMI; and
- the Level 0,1 endpoint devices (e.g., process sensors, actuators, and drives) have no cyber security or authentication.
This is the first time I have seen such a lack of confidence in firewalls and network filtering as well as such an acknowledgement that the ICS endpoint devices need to be secured.