In seeking to protect industrial control systems are we clear about what is being threatened and from what threats?

Reading the recently published Industrial Control Systems Emergency Response Team (ICS-CERT) Advanced Analytical Laboratory (AAL) White Paper on Malware Trends left me somewhat unimpressed and disappointed. Whenever I read a document about cybersecurity, especially one written by an institution dealing with the security of industrial control systems, I am keen to see how the authors understand what needs to be protected and from what threats.

After several readings it is not clear for this reader what the authors think is being attacked and who the “attacker” is. This is an important point in terms of designing defensive measures. The authors seem to be saying that someone or something is using malware to attack IT and OT systems. The implications of references to “malware as a service” and “ransomware” imply cybercrime activity. However are the gains from engaging in cybercrime the only motivation behind cyber-attacks on critical systems? The question of who is doing the attacking is poorly answered in terms of a document written by ICS-CERT It makes a big difference in terms of designing effective mitigation strategies if the attacker is assumed to be either a cyber-criminal seeking to extort money by encrypting his victim’s IT data, a socially motivated hacktivist seeking to draw attention to some cause by causing a company website defacement or customer data breach, or if the attackers are highly resourced, patient and following the orders of a Government. Again, what exactly is being attacked here? One example used by the authors on page 3 is the too famous cyber-attack on Sony Pictures Entertainment in December of 2014. Strange to use a case where IT systems were targeted to illustrate a point. Where is the relevance for industrial control systems here? The list of “platform challenges” starting on page 14 sounds perfectly acceptable to an IT security guy but for an ICS security guy isn’t there something missing in the list of operating system platforms when only Microsoft, OS X, and Linux are mentioned? Is the data in mobile phones the only source of risk in mobile communications? What about the use of wireless communication between devices in a production environment?

In terms of trends about types of attackers, targets, and sophistication of malware there is a gaping *threat awareness hole* in the authors brief treatment of STUXNET (just in one sentence found in the USB section on p.6 and once more on page 18 where it is mentioned in a section devoted to ICS matters which strangely only merits one page just before the conclusion page!) no mention at all of cyber intrusion and subsequent damage at a German steel mill in 2014 , and analysis of cyber intrusion and attack that was executed against the power grid operators in Ukraine late last year. In those cases malware was just an enabling technology to allow for the remote penetration of control systems that denied operators the view and control of industrial processes. Why the superficial coverage? In the case of Ukraine it is most perplexing because ICS-CERT earlier this year put out a report on the cyber-attack against Ukraine’s power grid (2). The mention of this incident is left to the last page and is briefly described in vague terms as an attack on “corporate network of a power facility “(why show boldness in naming Sony Pictures and then shy away from mentioning the location of the other attack on a part of national critical infrastructure?). What is one to make of these statements? Could it be that IT people did the bulk of the writing for this White Paper and that the authors of the Ukraine report were not consulted? It would be a great pity if the left hand is working without coordination with the right hand. In terms of IT Security and ICS Security this lack of cross-awareness is the real trend that should be the subject of a White Paper. Until there is better coordination between the two spheres the attackers that range from the cyber-criminal to the well-skilled and resourced state attacker will have a significant advantage over those trying to protect critical systems – to the peril of all who depend upon a safely functioning critical infrastructure.

2. US ICS-CERT report on Cyber-attack on Ukrainian Critical Infrastructure, 2016.

NOTE: The views expressed within this blog entry are the authors’ and do not represent the official view of any institution or organization affiliated thereof. Vytautas Butrimas has been working in information technology and security policy for over 30 years. Mr. Butrimas has participated in several NATO cybersecurity exercises, contributed to various international reports and trade journals, published numerous articles and has been a speaker at conferences and trainings on industrial cybersecurity and policy issues. Has also conducted cyber risk studies of the control systems used in industrial operations. He also collaborates with the International Society of Automation (ISA) and is member of ISA 99 Workgroup 13 that is developing Micro Learning Modules on the ISA 62443 Industrial Automation and Control System Security Standard and Workgroup 14 on security profiles for substations.