This afternoon the DHS ICS-CERT published the latest
version of their periodic report on activities under taken by ICS-CERT. Long-time
readers will recall that I have become increasingly dismissive of this
publication over the years. Unfortunately, I have to continue that trend.
As usual this issue starts off with a ‘report’ on an actual
incident that was investigated by ICS-CERT. The details are even more sketchy
than normal with no positive indication that a control system was actually
involved. I understand that ICS-CERT is restricted in what information that it
can share in a public environment, but all were told here is that the
Assessment team noted indications of malware and the Incident Response team was
called in. They confirmed the infection and provided information to allow the
clean-up process to begin. Sorry, but we get more useful information from CSI
Cyber®.
There is a nice fluff piece on vulnerability coordination in
the medical device space. It contains a nice description of the coordination
process but it is a feel good article that weakly makes the case for
vulnerability disclosures. I hope ICS-CERT does a better job at next
week’s FDA Conference.
We have the typical year end summary of ICS-CERT incidents
where ICS-CERT continues to conflate ICS incidents and IT incidents at
facilities with ICS. The section in this issue does make one very cogent point:
“While sophisticated intrusions against
asset owners persist, in FY 2015, ICS-CERT responded to a significant number of
incidents enabled by insufficiently architected networks, such as ICS networks
being directly connected to the Internet or to corporate networks, where spear
phishing can enable access. It is uncertain if this was a change in targeting by
adversaries, if these systems merely represented targets of opportunity, or if
there is some other explanation. Regardless of cause, this reinforces the need
for asset owners/operators to focus on security fundamentals such as those outlined
in our DHS/FBI/NSA joint publication ‘Seven Steps to Effectively Defend
Industrial Control Systems’ and ICS-CERT’s ‘Recommended Practice: Improving
Industrial Control Systems Cybersecurity with Defense-In-Depth Strategies.’”
The FY 2015 highlights section of the Monitor does provide
some interesting factoids about ICS-CERT and industrial control system
security. An important milestone mentioned here is the elevation of the
ICS-CERT to a continuous presence on the National
Cybersecurity and Communications Integration Center (NCCIC) floor. This
does mark an important increase in the perceived level of importance of control
system security.
There is another mention in the highlights section that
deserves some discussion here. That is the apparent release of version 7.0 of
the Cyber Security Evaluation Tool (CSET). Unfortunately, there is no
information about the differences between v7.0 and earlier versions and there
is no indication on the ICS-CERT
web site that the CSET has changed since May of 2014. This is a shame
because this has been a valuable tool that can be used either in the
stand-alone mode by a facility team or in conjunction with an assistance team
from ICS-CERT. I really wish that ICS-CERT would do a better job publicizing the
CSET.
In the final analysis, this is a short document that costs
nothing but the very short download time. We are going to be hearing about the
misleading incident stats for the next 9 months so you might as well read the
document.
Posts
No comments:
Post a Comment