How should we respond to ICS advisories?

With the spate of recent industrial cyber-security incidents, should ICS managers be doing anything in response?

A major challenge for companies that own and operate Industrial Control Systems (ICS) is to translate the incoming mass of security issues into an actionable plan. An example of this was the advisory released last month that disclosed a vulnerability in Schneider Electric SCADAGateway.

The first stage of this is to know whether or not a vulnerability affects your systems. This can only be achieved if you have an up to date asset register that lists the hardware and software you rely on. Asset registers are notoriously difficult to create and maintain. This is because techniques used for IT asset management are not always compatible with ICS networks. Additionally ICS are often reconfigured without keeping logs of the changes made. A number of solutions exist for this issue, ranging from professional off the shelf solutions like Industrial Defender, through to independent inspections and custom built tools that can determine the hardware on a network by its traffic.

After building and maintaining an asset register, the next step for ICS owners is to understand the impact of these issues and work out how (if at all), they can implement additional security measures to protect against them. If patching is not an option for six or twelve months (which is often the case due to certification or operational restrictions), then other options may still be available such as restricting the networks that can connect to the affected systems, or increasing monitoring of network traffic for signs of malicious activity.

The vulnerabilities we’re now seeing in the wild are not new and we are going to be seeing more of them. Many groups, from hacktivists to nation states, seek the ability to control or damage critical infrastructure and are investing time and money to improve their capabilities. We have seen evidence of this in both the report covering the 2008 pipeline explosion in Turkey, as well as the steel mill attack in Germany last year.

This increase in interest is magnified by ICS vendors competing to win business by offering new services. Many of these services lead to increase connectivity as users want to view real time ICSinformation from their PCs or smart phones. An increase in features and connectivity always leads to an increase in the attack surface available for an attacker to exploit to gain access.

At MWR we have seen an increasing concern within the ICS community with regard to ICScomponent security, most likely influenced by vulnerabilities like this one. Owners understand that once they install equipment and the system goes live, it is difficult or sometimes impossible to make changes to the equipment when a vulnerability is found. Owners and vendors will often bring in security specialists to perform detailed inspection and assessment of the security of the products before installing them. The goal is to give them a clear picture of the risks a product will expose them to and what options are available to keep their key assets safe.



Accreditations & Certificates

MWR is an accredited member of The Cyber Security Incident Response Scheme (CSIR) approved by CREST (Council of Registered Ethical Security Testers).
MWR is certified under the Cyber Incident Response (CIR) scheme to deal with sophisticated targeted attacks against networks of national significance.
We are certified to comply with ISO 9001 and 14001 in the UK, internationally accepted standards that outline how to put an effective quality and environmental management systems in place.
MWR is certified to comply with ISO 27001 to help ensure our client information is managed securely.
As an Approved Scanning Vendor MWR is approved by PCI SSC to conduct external vulnerability scanning services to PCI DSS Requirement 11.2.2.
We are members of the Council of Registered Ethical Security Testers (CREST), an organisation serving the needs of the information security sector.
MWR is a supplier to the Crown Commercial Service (CCS), which provides commercial and procurement services to the UK public sector.
MWR is a Qualified Security Assessor, meaning we have been qualified by PCI to validate other organisation's adherence to PCI DSS.
As members of CHECK we are measured against high standards set by NCSC for the services we provide to Her Majesty's Government.
MWR’s consultants hold Certified Simulated Attack Manager (CCSAM) and Certified Simulated Attack Specialist (CCSAS) qualifications and are authorized by CREST to perform STAR penetration testing services.