In the recently released survey from SANS, Securing Industrial Control Systems—2017, there were two results that stood out more than most. The first came from a question assessing which control systems had the greatest impact if compromised and exploited; the second related to which systems had the strongest data collection and analysis. In the case of impact, survey respondents ranked computer assets with commercially available OS, network devices, and controllers in the top three. For data insights, survey respondents ranked controllers, mobile devices, and OLE for process control in the bottom three.
Let’s carefully consider these two results. The common denominator in each is clearly controllers, which are typically found in distributed control systems (DCS), programmable logic controllers (PLC), and similar systems. These systems are responsible for safely and reliably running volatile processes, such as gasoline production, power generation, chemical manufacturing, and pharmaceutical production. They even make sure our favorite rides at Disneyland work without incident. Industrial control systems (ICS) are unseen by most, but are ubiquitous within our world.
So, how is it that such important systems can have so little visibility within a cybersecurity program? The reason for this cognitive dissonance is that getting data from these systems is hard. A typical industrial process facility will have a myriad of different vendor systems – each with their own proprietary, complex architecture and no common protocols to interrogate them for data. In fact, it’s taken PAS over 200 man years of investment to provide detailed system data for the majority of control systems found in plants today.
It is worth noting that controllers were also in the bottom third for risk. We feel this survey result does not match an emerging reality where nation-sponsored actors can seemingly hack and disrupt Ukrainian power at will; and, where disgruntled insiders exercising tribal knowledge and/or credentialed access can bring down a production plant (e.g., Georgia Pacific plant processes were disrupted when a fired employee made unauthorized changes to control systems). Part of this low-risk rating also results from the lack of a public mandate to disclose attacks. Silos of information prevent cybersecurity professionals from accurately accessing risk.
In the end, if you do not know what you have or how it is configured, then you will struggle to recognize when a malicious or inadvertent change occurs. Changes within these systems can disrupt production, impact the environment, and cost lives. If you cannot see these critical systems, then how can you possibly hope to secure them sufficiently? With the stakes high for critical infrastructure, sustained cognitive dissonance can have disastrous results. Thankfully, surveys like this one from SANS will continue to shine a spotlight on an area where companies need to continue ramping up ICS cybersecurity investment.