Today the DHS ICS-CERT published a report that looks at the results of 112 formal assessments that ICS-CERT conducted of industrial control systems during FY 2015. These assessments were conducted using the ICS-CERT’s Cybersecurity Evaluation Tool (CSET, 38 facilitated assessments), the Design Architecture Review (DAR, 46 assessments), and the Network Architecture Validation and Verification (NAVV, 28 assessments).
The report provides the following snap shot of the assessments conducted in FY 2015 (pg 1):
• ICS-CERT conducted 112 assessments in FY 2015, including 38 facilitated CSET®, 46 DAR, and 28 NAVV assessments.
• There were 638 weaknesses identified through DAR and NAVV assessments.
• The top six categories represented 36 percent of all weaknesses.
• Boundary protection was the most commonly identified area of weakness in both FY 2014 and FY 2015.
• Weaknesses related to boundary protection and least functionality represented 21 percent of all discovered weaknesses.
• Key trends included pervasive issues related to virtual machines, remote access, virtual local area network (VLAN) use, bring your own device (BYOD) risks, use of cloud services, and ICS network monitoring.
While the report draws some interesting conclusions about the most common cybersecurity weaknesses found in these assessments, it is very difficult to determine how these weaknesses apply to the total control system environment in the United States. The small number of facilities assessed, the fact that they were self-selected (the facilities requested ICS-CERT assessments), and the lack of information about facility size, type of control system (DCS, SCADA, etc), or the extent of support the facilities had from internal or contract cybersecurity personnel in setting up the security of their control systems all make it very difficult to draw wider conclusions about the results of these assessments.
The other problem with this report is that we are not even sure that there were 112 separate facilities included in the assessments. The very real possibility that facilities may have had ICS-CERT conduct combinations of assessments could seriously reduce the actual number of facilities involved in the study.
Having said all of that, I think that control system security personnel (professional or the untrained grunts on the frontline) should probably read this 25-page document. Addressing the most common problems identified in these assessments will not necessarily make the associated industrial control systems secure, but they will provide a good starting point for making facilities more secure.