Yesterday the DHS ICS-CERT published a 17 page report on the
cybersecurity incidents the organization responded to since its inception in
2009. The seventeen page report provides an overview of the number of incidents
per year and by critical infrastructure sector. It summarizes common findings
and provides an overview of vulnerabilities discovered in three broad
categories; people, process and technology.
Summary Data Misleading
The initial summary of ICS-CERT incident response data is
kind of frightening; nine responses in 2009, 41 in 2010 and 198 in 2011 (page
2). It would seem to support the general idea that our critical infrastructure
systems are increasingly under attack; a conclusion supported by other report.
A closer reading of the report, however, makes that conclusion less clear. For
example the report notes that of the 2011 incidents an unspecified number were “due
to a large number of Internet facing control system devices reported by
independent researchers” (pg 5); presumably those incidents could have been
reported in 2010 or 2009 if the tools for detecting internet facing devices had
been available in those earlier years.
No ICS Threat Identified
The other misleading aspect of this report is that it is
supposedly about the ICS threat landscape during the period. Unfortunately, the
vast bulk of the incidents appear to be on enterprise systems at these
facilities, not control systems. Of the incidents reported in any detail in
this report (and the details are deliberately and rightfully sketchy) only
three deal with actual control systems; a Stuxnet infection clearance, an
environmental control system problem, and a water system pump problem. The last
two were determined not to be related to a cyber-attack.
What the Report Doesn’t Say
The report does identify a number of incidents where
sophisticated targeted attack were directed at critical infrastructure
organizations. And it does briefly mention that there were multiple indications
of information being exfiltrated from some of those infected systems.
Unfortunately it doesn’t appear that anyone has any real idea of what types of
information were taken; it could easily be assumed that control system access
and topography data could have been copied that would allow for a sophisticated
follow-on attack.
The report also makes no attempt to compare the reported
attacks to a number of attacks detected but not reported to ICS-CERT or to a
number of successful attacks that were not detected. While any such numbers
would be guesses (hopefully educated guesses) they would give a better look at
the potential threat landscape. As it stands this report seems to indicate that
the overall threat to the ICS community is really rather small.
Political Implications
With the Senate perhaps (don’t really hold your breath) set
to take up some sort of ‘comprehensive’ cybersecurity legislation in the coming
weeks this report does a disservice to the control system community. It minimizes
the potential threat to critical infrastructure control systems and makes the
case quite firmly that there is no need for any regulation of cybersecurity for
control systems. In fact, a diligent bean counter that read this report would
conclude that there is little or no need for spending any significant corporate
resources on control system security.
Because this politically inept report does not address the
issue of the sharp increase in the vulnerabilities reported in control systems
and the increasing interest in the hacker (black and white) community in
finding the vulnerabilities in these systems, the report does not identify the
increasing probability of attacks, sophisticated and otherwise, on control
systems. It does not explain to the uninitiated that the landscape is quickly
changing in that it is becoming easier to attack control systems and this presages
a probable radical increase in actual attacks on control systems.
For those of us in the control system security community,
this is a valuable report on what ICS-CERT has done, but it handicaps us in our
ability to protect the critical infrastructure control systems in this country
from future attacks.
No comments:
Post a Comment