Tuesday, July 7, 2015

ICS-CERT Publishes Monitor

This afternoon the DHS ICS-CERT published the latest version of the ICS Monitor covering activities in May and June of this year. While this issue contains a lot of the standard full-color glossy self-advertisement that we have come to expect from this periodic report there are three interesting articles that are well worth reading.

Incident Investigation

This has become a standard feature in the Monitor; a sanitized report on an on-site investigation carried out by ICS-CERT in the period covered. There are no real details about the incident other than the owner expected possible ‘APT activity’ on their control system network.

The real value of the article is that it points out that the facility did just about nothing to protect its control system. For example, it was not able to enumerate all of the devices on the network. It had no network logs to use for a forensic investigation. Finally, there was not even a good delineation of who was responsible for the various sectors of the network. If there is a need to baseline bad performance this article describes just such an installation.

Situational Awareness

The other two articles of note are found in this section of the Monitor. The first deals with internet connections and the other with using YARA for malware detection.

The first one starts off with the title “If You’re Connected, You’re Likely Infected” and then goes on to discuss the following basic techniques to protect your control system network:

∙ Isolate your ICS network from the internet;
∙ Limit and secure the use of remote access to your control system environment;
∙ Assign a manager responsible for cybersecurity; and
∙ Implement best practices for cybersecurity.

No real new information here, though I am a little surprised (and pleased) to see the brief section on management responsibility.

The third article worth reading is titled: “Using YARA for Malware Detection”. This nearly full page article provides a pretty readable guide to how to use the YARA tool. It almost certainly is not quite detailed enough to actually allow someone to use the tool (it is only a page long and fairly generic), but it should be enough to allow a manager to nod his head in the proper places when the control system engineer gives the 30 second version as an explanation for what he is trying to do.

Lies, Damn Lies and Statistics

Okay, a catchy title, but the first two are not apparently appropriate to this update on ICS-CERT incident statistics. As is usual it is not clear from the article just how many of the 108 enumerated “cyber incidents impacting critical infrastructure in the United States” in the first half of FY 2015 (so a full quarter behind) actually involve industrial control systems. Critical Manufacturing is now the hardest hit sector (20.2%) since the Energy Sector has been broken out into its constituent parts (Electric 13%, Petroleum 8%, Natural Gas 4%, and Miscellaneous 3% - Total 28%).

The interesting set of statistics here is found in the chart on incident reporting. Only 27% of the incidents were reported by asset owners while ‘federal partners’ accounted for 45%. Researchers even accounted for 17%. It is not clear if this is just a case of asset owners not knowing about ICS-CERT, not wanting to report to ICS-CERT, or exactly what.

The final set of statistic is shown in the source of the ‘Attempted Infection Vector’. Fully 19% are listed as ‘scanning’ which most cybersecurity experts do not really count as an attack (and, to be fair, ICS-CERT is not reporting any of these as attacks). The scary part is that the single largest ‘infection vector’ is ‘Unknown’ at 28%. It is hard to share meaningful information about ‘Unknown’.


This is a short read, has some good information, and you cannot beat the price. I would recommend that you go ahead and download a copy. I did.

1 comment:

Dave Foose said...

It would have been nice to say if they found "APT" and what it was. While real world example of bad network segmentation was stressed, they didn't really give a clear "lessons learned" on incident response or when to engage it. They just insinuated that forensic information was tainted or destroyed then proceeded to detail the investigative milestones.

/* Use this with templates/template-twocol.html */