The corporate world we live in today relies on the information highway, an interconnected network system where business transactions are carried out in cyber space. Left undiscovered, a system’s vulnerability can lead to Intellectual Property (IP) loss, financial loss and confidential data exposure. In the Industrial Control System (ICS), hidden vulnerabilities can be exploited through malware, such as viruses and trojans, and can cause similar outcomes including unpredictable operations and expensive downtime, resulting in a loss of production and compromised safety systems.
Can this really happen to you?
Not so new to the cyber neighborhood are vulnerability researchers that look closely at ICS software and systems. The best outcome is that any vulnerability information is given directly to you or the Computer Emergency Readiness Team) (CERT), enabling a planned response. The worst outcome is that the vulnerability lands on an Internet site such as ExploitHub -- a virtual marketplace where vulnerabilities are sold to the highest bidder.
Let’s start the conversation!
With emerging threats such as Stuxnet, Duqu and Aurora Project ringing in our ears, what is a reasonable first step on the path to mitigation of ICS vulnerabilities? The resounding response across the board in the industry today is to take a close look in your own cyber neighborhood, through an audit of your ICS. Knowledge of these vulnerabilities is the first step to mitigation.
How safe is it to audit my ICS?
The concern is that network audits can be invasive causing network slowdowns that result in loss of communications resulting in your operators seeing @ signs in place of critical data needed to run your ICS. In order to perform a safe and effective audit on an ICS, a synthesis of experience in control systems, networking systems and operating systems knowledge is needed. This will make the audit extremely valuable to identifying vulnerabilities
What is the Audit Process?
The audit includes information gathering, risk assessment and gap analysis. This process will allow safe, reasonable, and cost effective methods to reduce exposure of the ICS to threats. The first step in the audit process is to clearly document the hardware, software and systems your company has. This typically includes an audit of system users, security policies (such as password complexity) and ports and services used by the system and its components.
There are several resources to assist in collecting information from your ICS. These sources could include the company security policies, and software that provides detailed information about your internal systems. (For example: port scanners, protocol sniffers and audit software). This data gathering portion of the audit process can be executed by a third party auditor, an internal team or a full blown audit by your friendly regional standards governance organization (can you say C.I.P.?).
The next step is to rank significant threats to your systems, and identify possible vulnerabilities. There are many factors associated with ranking cyber security risks, which include the environment of systems at risk, the likelihood of an exploit and the magnitude of the issue.
The information can then be used in a gap analysis, between where you are and the desired endpoint (ala’ standards such as company policies, D.O.D, Nist, Nerc, NRC). Not only does this data provide information on vulnerabilities that may exist, but it also provides a documented baseline of your current system. Careful planning will guide your audit from an information gathering exercise to a valuable component of your overall business continuity plan.
What’s the next step?
Using the results of your risk calculation for vulnerabilities and the results of the GAP analysis, a plan can be made to mitigate the vulnerabilities, starting with the most significant exposure. This will include cost and scheduling estimates for the work needed to address those vulnerabilities. Remember, in the world of cyber security and maintaining system reliability, waiting for the right time is never really a good option because if you’re not looking at your vulnerabilities, someone else is.