Critical Systems Security – Questions and Answers from SANS

The challenges of control systems security have been highlighted publically once again with the release of the NIST Cybersecurity Framework earlier this month. Further evidence of the need for improvements in how utilities and other critical infrastructure operators address cybersecurity was brought to light by ICS-CERT's Q4 2013 report on incident response activity.

According to its report:

ICS-CERT determined that:

  • 79 organizations were either confirmed or suspected to be compromised
  • 57 were determined to be 'not compromised,' and
  • 120 were indeterminate or unknown.

For many of the incidents that were categorized as 'suspected' to be compromised, the detection capabilities and log records were inadequate to positively determine if threat actors were able to penetrate the network and maintain a presence. This underscores the importance of maintaining system and network logs, which are essential for ensuring detection and response capabilities, especially during the course of investigating an incident.

It is worth noting that ICS-CERT reporting is done on a voluntary basis. And no surprise, ICS-CERT believes many more incidents are occurring, but not being reported. In keeping with previously noted challenges, ICS-CERT suggests the gap in reporting is due to a lack of sufficient detection and or logging capabilities.

Shameless plug: The Tenable SecurityCenter Continuous View platform provides critical infrastructure operators with capabilities for continuous monitoring across their ICS/SCADA and enterprise IT networks. This is achieved through the combination of active and passive scanning, log aggregation and security analytics. We will be sharing information about continuous monitoring for ICS/SCADA networks at SANS ICS Security Summit, March 17-18, 2014 in Orlando.

To provide additional insight into the current state of ICS security, earlier this year, SANS Institute surveyed IT and security professionals from industries where control systems are prevalent. The results of the survey, which was co-sponsored by Tenable, will be shared with the public during a webcast hosted by SANS analysts Matthew Luallen and Derek Harp at 1PM ET on April 1, 2014. A report outlining the findings will be distributed to all those who register for the webcast. Tenable will also make the report available to interested parties following its official release.

The release of the survey results follows on heels of SANS' annual ICS Security Training Symposium and Summit. Tenable will be sponsoring the Security Summit, which takes place March 17-18, 2014 in Orlando. Tenable product evangelist, Paul Asadoorian will be on hand at the event, and will also be recording Paul's Security Weekly podcast while on-site. We look forward to seeing you at the event.

Learn more about SANS ICS Security Summit

Register for the webcast here