Companies operating Industrial Control Systems (ICS) have a special set of challenges to deal with. Which is the state of the art?
The equipment was expected to be installed and left alone for a long time. Pressures to reduce operating costs led to this equipment being connected, and the easiest networking equipment to find was designed for convenience in a corporate environment — not security in an ICS environment. Once connected, companies discovered the value of data that comes from industrial systems and additional pressures arose to connect isolated Control Networks to relatively open Corporate Networks. This has led to the current situation where malware designed to compromise corporate systems can impact ICS equipment and have tragic impacts in the real world.
Kaspersky Lab recently conducted a survey of 359 industrial cybersecurity practitioners and uncovered some discrepancies between the perception and reality of ICS cybersecurity incidents.
83% of respondents feel prepared to handle an ICS cybersecurity incident, which is fortunate because over 50% had at least one cybersecurity incident to deal with in the past year — so they are getting a lot of practice.
The media talks at length about skilled attacks against ICS assets coming from nation states, hacktivists, competitors — often against 3rd party contractors up the supply chain. Survey takers seem to agree as 74% are expecting to see an attack against their industrial infrastructure in the coming year. But this is an interesting discrepancy as the top concern is conventional malware affecting control systems. How many companies are preparing to defend against the few, skilled attackers when they are most likely to be impacted by run-of-the-mill malware being sprayed across the Internet?
ICS vendors’ traditional development model didn’t accommodate regular patches and updates so it is quite likely that companies with ICS equipment are forced to consider other security tools. According to the survey, companies are responding to the threats with antimalware, network monitoring and device access controls. Over half of the respondents aren’t considering vulnerability scanning and patch management.
Based on the stats above, it seems likely that there will be many cybersecurity incidents in the coming months. What should industrial organizations prepare for? The survey highlights the top three concerns as:
– damage to product and service quality,
– loss of proprietary or confidential information, and
– reduction or loss of production at a site
On average these impacts added up to $497,000 per incident last year. So we have a likely probability and a quantifiable impact to base risk decisions upon. Now, these companies need to figure out how to make the right decisions.
Given that these companies are responsible for large scale industrial equipment, security incidents could have much bigger impacts in the real world than most. The challenges of an ICS environment are different than traditional, stand-alone control systems and highly connected corporate networks. The successful companies will be the ones with a unique plan to address the unique risks.
“The growing interconnectedness of IT and OT systems raises new security challenges and requires a good deal of preparedness from board members, engineers, and IT security teams. They need a solid understanding of the threat landscape, well-considered protection means and they need to ensure employee awareness.” said Andrey Suvorov, Head of Critical Infrastructure Protection, Kaspersky Lab. “With cyber threats on the ICS shop floor, it is better to be prepared. Security incident mitigation will be much easier for those who have leveraged the benefits of a tailored security solution built with ICS needs in mind”.