Thursday, January 27, 2011

ICS-CERT Reviews 2010 in Cyber Security

Yesterday the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) published a review of cyber security activities in 2010. This provides a quick overview of significant events in control system security from the point of view of ICS-CERT. As one would expect, Stuxnet receives prominent mention but the substantial increase in the discovery of vulnerabilities in control system software is mentioned only in passing.


Many people have expressed concern over the last six months or so about the lack of detailed information on the Stuxnet worm coming out of ICS-CERT. The discussion of Stuxnet in this document will hardly improve their image with regard to Stuxnet. In fact the authors of this review will have actually aggravated the problem by stating in the ‘Lessons Learned’ section that: “Timely information sharing of threats and analysis is of chief importance in empowering and protecting public and private sector partners.” Hopefully ICS-CERT has learned this lesson.

Actually, the most valuable information on Stuxnet in this publication is found in the “Stuxnet Specific Resources” section found on the last page. Interestingly, ICS-CERT provides the Symantec “W32Stuxnet Dossier” the primary ranking (by listing it first) as source of information above the two ICS-CERT documents that have been criticized by many control system security experts as being very weak sources of information.

Fly-Away Teams

The year in review looks at the establishment of fly-away teams to assist asset owners in responding to actual cyber security incidents. Beyond the basic discussion of these teams, the ‘Lessons Learned’ section deserves special attention by the control system community.

• Many asset owners reported that they were not aware of the resources available to keep them informed of current threat information or vulnerabilities to ICS.

• A common understanding of the potential impacts of cyber vulnerabilities (loss or degradation of process control, loss of sensitive information, etc.) does not exist across all CIKR sectors.

• Asset owners need to employ consistent management of privileges on their networks – who has which privileges and on which part of the network they apply for each individual.

• Forensics analysis is enhanced when the organization has established a baseline dataset for network configuration and typical traffic; this allows for more effective identification of intrusions.

• Asset owners need to develop adequate policies and procedures to educate employees and reduce the potential of unintended cyber incidents resulting from untrained workforce.

I really do recommend that anyone with an interest in control system security read this document. It does provide some brief yet interesting discussions and the various ‘lessons learned’ listings provide some very concise, yet appropriate pieces of information about cybersecurity for control systems. It won’t directly make your security program any better, but it will provide a good list of talking/thinking points.

No comments:

/* Use this with templates/template-twocol.html */