This afternoon the DHS ICS-CERT published the latest version of their periodic report on activities under taken by ICS-CERT. Long-time readers will recall that I have become increasingly dismissive of this publication over the years. Unfortunately, I have to continue that trend.
As usual this issue starts off with a ‘report’ on an actual incident that was investigated by ICS-CERT. The details are even more sketchy than normal with no positive indication that a control system was actually involved. I understand that ICS-CERT is restricted in what information that it can share in a public environment, but all were told here is that the Assessment team noted indications of malware and the Incident Response team was called in. They confirmed the infection and provided information to allow the clean-up process to begin. Sorry, but we get more useful information from CSI Cyber®.
There is a nice fluff piece on vulnerability coordination in the medical device space. It contains a nice description of the coordination process but it is a feel good article that weakly makes the case for vulnerability disclosures. I hope ICS-CERT does a better job at next week’s FDA Conference.
We have the typical year end summary of ICS-CERT incidents where ICS-CERT continues to conflate ICS incidents and IT incidents at facilities with ICS. The section in this issue does make one very cogent point:
“While sophisticated intrusions against asset owners persist, in FY 2015, ICS-CERT responded to a significant number of incidents enabled by insufficiently architected networks, such as ICS networks being directly connected to the Internet or to corporate networks, where spear phishing can enable access. It is uncertain if this was a change in targeting by adversaries, if these systems merely represented targets of opportunity, or if there is some other explanation. Regardless of cause, this reinforces the need for asset owners/operators to focus on security fundamentals such as those outlined in our DHS/FBI/NSA joint publication ‘Seven Steps to Effectively Defend Industrial Control Systems’ and ICS-CERT’s ‘Recommended Practice: Improving Industrial Control Systems Cybersecurity with Defense-In-Depth Strategies.’”
The FY 2015 highlights section of the Monitor does provide some interesting factoids about ICS-CERT and industrial control system security. An important milestone mentioned here is the elevation of the ICS-CERT to a continuous presence on the National Cybersecurity and Communications Integration Center (NCCIC) floor. This does mark an important increase in the perceived level of importance of control system security.
There is another mention in the highlights section that deserves some discussion here. That is the apparent release of version 7.0 of the Cyber Security Evaluation Tool (CSET). Unfortunately, there is no information about the differences between v7.0 and earlier versions and there is no indication on the ICS-CERT web site that the CSET has changed since May of 2014. This is a shame because this has been a valuable tool that can be used either in the stand-alone mode by a facility team or in conjunction with an assistance team from ICS-CERT. I really wish that ICS-CERT would do a better job publicizing the CSET.
In the final analysis, this is a short document that costs nothing but the very short download time. We are going to be hearing about the misleading incident stats for the next 9 months so you might as well read the document.