This afternoon the DHS ICS-CERT (in conjunction with the FBI and NSA) published a seven-page paper on protecting industrial control systems (ICS). Entitled “Seven Steps to Effectively Defend Industrial Control Systems”, the paper outlines seven steps, that if properly implemented, would have prevented 98% of the incidents reported to ICS-CERT in 2014 and 2015.
As most readers would expect, there is nothing really new or earth shattering in the seven steps. They have been preached pretty consistently by most ICS security experts over the last couple of years. They represent a fairly comprehensive defense-in-depth process for protecting control systems from attack. The seven strategies are:
• Implement application whitelisting;
• Ensure proper configuration/patch management;
• Reduce attack surface area;
• Build a defendable environment;
• Manage authentication;
• Implement secure remote access; and
• Monitor and respond
The paper provides a general description of each of the strategies and how they help to secure industrial control systems. Most valuable, it includes a ‘real world’ example of how failure to execute each strategy resulted in an incident to which ICS-CERT responded. Some ‘new’ examples that we have not heard publicly addressed. Unfortunately, not enough detail about these incidents to spark any real interest or really explicate the strategy.
Most Important Strategy is Missing
While the technical aspects of these seven strategies is well (if briefly) described, and they are all undoubtedly important, the most important part of any cybersecurity strategy is inexplicably ignored. There is no mention of training operators, engineers, or support staff in the fundamentals of cybersecurity. Without comprehensive training on the basics (and of course on the implementation of the strategies) there is no cybersecurity system that will survive contact with the real world for long.
Still, even with missing the critical eighth strategy, this is still a valuable paper that should be read by everyone in the control system security community. More importantly it should be read by every CEO and board member responsible for organizations that contain any level of industrial control system (including building control systems and security access systems). Additionally it should be required reading for every congressional staffer that could be required to help craft or advise about control system security legislation.