I have been concerned for years that companies have been monitoring corporate networks and extrapolating those results to the ICS networks. I also believe that some of the government disclosures are based on the same premise. Specifically, there have been many articles and presentations since at least 2009 that have stated that spies and malware are in our ICS networks. Examples of stories about spies in our ICS networks include:
“Electricity Grid in U.S. Penetrated By Spies” http://www.fbiic.gov/public/2009/april/ElectricityGrid_in_U.S.PenetratedBySpies-WSJ.com.pdf and “Ugly Gorilla Hack of US Utility Exposes CyberWar Threat”, http://www.bloomberg.com/news/2014-06-13/uglygorilla-hack-of-u-s-utility-exposes-cyberwar-threat.html. Conversely, the May 29th Dark Reading article titled “Large Electric Utilities Earn High Security Scores”, http://www.darkreading.com/vulnerabilities---threats/large-electric-utilities-earn-high-security-scores/d/d-id/1269299? appears to come up with a different conclusion based on the same lack of information.
The common thread to these articles and much of the discussions concerning ICS threats is that people are assuming that ICS networks are being monitored. In general, that is not a good assumption. Often, companies such as FireEye/Mandiant, BitSight, and others are monitoring the corporate networks and extrapolating those results to the ICS networks. In the June 16, 2014 SANS NewsBites article "Chinese Spies Stockpiling Critical Infrastructure Vulnerabilities", Mike Assante stated: “What is not being emphasized enough here is that our current defenses are stopping virtually none of these actors from gaining footholds, we are rarely seeing them from inside the target, and we have little confidence that we can remove them. The ironic tragedy is that the ICS network is far more defendable than the connected enterprise networks, as it is designed with specific purpose and functionality. We fail to take advantage of this attribute as most have little or no security visibility on the inside and lack a baseline of normal communications."
On a personal basis, I know of only a few companies that have actual monitoring data from their ICS networks. The results are certainly different than those on the corporate networks. Moreover, I know of many significant ICS cyber incidents that have occurred without any indication from network monitoring.
I have been working with a utility that has installed taps on their ICS network to view what is actually occurring. This information is of value for not only security but also for performance reasons.
Are spies in our ICS networks – who really knows but we really should find out.
Joe Weiss