ICS-CERT Published Latest Monitor and Took It Down

Early this afternoon the DHS ICS-CERT published the October-December issue of the ICS-CERT Monitor. Sometime later this afternoon all mention of it was removed from the ICS-CERT web page. Fortunately, the link provided earlier this afternoon is still functioning.

ICS-CERT Incident Response

The monitor reports that ICS-CERT responded to 256 incidents in 2013. There is a lot of miscellaneous information about these incidents but there is not a single conclusive mention of a control system being directly involved in any of the incidents.

Lacking any specific mention of ICS attacks, the most disturbing data point in this section of the Monitor is that of the 256 incidents, the ICS-CERT team could not determine if there had actually been an attack (or not) in 120 of the incidents (almost 47%). The reason given was that “the detection capabilities and log records were inadequate to positively determine if threat actors were able to penetrate the network and maintain a presence” (pg 2).

Situational Awareness

This section of the Monitor contains an interesting discussion of application whitelisting challenges. Another brief article discusses the Network Architecture Verification and Validation technique to detect communications attempts (and completions) with sources outside of the network. The use of Business Impact Analysis to prepare for attacks that are designed to dismantle or destroy a network asset was also discussed in a brief article.

The most confusing article in this section deals with the reported release of Cyber Security Evaluation Tool (CSET) v6.0. No links are provided in the article and the CSET pages active on the ICS-CERT site are all just about a year old and dealing with CSET v5.0 released last year. ICS-CERT seems to have a problem coordinating their rollouts of new tools. That may be why this issue was withdrawn; it was issued prematurely.