Observations from Mocana Webinar – some very surprising survey results

Feb. 2, 2018

Wednesday, January 31st, 2018, I participated with Mocana on a webinar on the Hatman malware (Trisis – Triconex safety system) attack. The survey question responses from the webinar are the first time I have seen such a lack of confidence in firewalls and network filtering as well as such an acknowledgement that the ICS endpoint devices need to be secured.

Observations from Mocana Webinar – some very surprising survey results

Wednesday, January 31st, 2018, I participated with Mocana on a webinar on the Hatman malware (Trisis – Triconex safety system) attack. The webinar can be found at https://www.brighttalk.com/channel/9609/mocana-corporation.

There were 119 attendees out of 171 that registered for the live webinar, a representative sample number. We didn’t ask the split between IT and ICS personnel in attendance so the conclusions from the in-presentation surveys may not be as clear as we would like. The survey questions were in order of being asked.

Q: What is your biggest concern about the impact of ICS cyber attacks?

Production Downtime                                                    51%

Environmental Impact                                                    6%

Need for additional manpower                                        3%

Personnel safety                                                           31%

Impact to Brand                                                             6%

Observation: This was a webinar on the Triconex hack. Consequently, the sensitivity to reliability and safety was refreshing.

Q: How effective is existing technology at preventing ICS cyber attacks?

Very effective                                                                  3%

Effective                                                                       10%

Moderately effective                                                      53%

Not effective                                                                 28%

Entirely ineffective                                                          3%

Observation: This survey question was provided after discussions about the Stuxnet and Triconex hacks. In both cases, the security systems did not identify the hacks. It should also be mentioned that many major IT hacks were not found expeditiously either. The inability to expeditiously identify ICS cyber events can explain the apparent lack of confidence in ICS cyber attack prevention.

Q: How can you improve your defenses against ICS cyber attacks?

Expand monitoring and threat detection                         25%

Limit impact of human error                                             0%

Deploy appropriate firewalls and network filtering            0%

Harden ICS endpoint devices and gateways                   41%

Improve ICS cybersecurity process and procedures       32%

Observation: The response to these questions are the most interesting. If this question would have been asked at the beginning of the webinar, my feeling is the responses on firewalls and endpoint devices would have been reversed. However, this survey question was given after explaining that:

- many ICS cyber attacks are tied to the Windows HMI;

- the serial-to-Ethernet convertors (gateways) are cyber vulnerable, have been compromised, and are an input into the Windows HMI; and

- the Level 0,1 endpoint devices (e.g., process sensors, actuators, and drives) have no cyber security or authentication.

This is the first time I have seen such a lack of confidence in firewalls and network filtering as well as such an acknowledgement that the ICS endpoint devices need to be secured.

Joe Weiss