The ICS-CERT recently released the “ICS-CERT Incident Response Summary Report,” which quantifies known industrial control system cyber security incidents from 2009 to 2011. The report offers a very useful summary of threats, and provides some eye-opening metrics. One finding across all reported incidents was that “an organization’s technology can result in cyber security gaps,” which are the result of—not surprisingly—the lack of a security management framework, and the lack of adequate patch management policies to ensure that security controls are up-to-date and able to protect against new exploits. Some other interesting conclusions include:
- Spear-phishing remains the leading infection vector.
- Most attacks were from sophisticated threat actors (despite the simple infection vectors).
- The majority of the incidents could have been thwarted, detected or at least minimized through the use of security recommended practices.
It’s encouraging how well these findings map to McAfee’s “Secure Connected” strategy, which combines a variety of security controls into a larger framework for centralized threat detection and policy management—and even more so to McAfee’s strategy for securing Critical Infrastructures. Critical infrastructure cyber security involves a few key products that have been tailed for industrial control systems and that, when used together under the Secure Connected framework, provide a reliable solution for ICS cyber security. One of these keystone products is Application Control, which provides application whitelisting and change control for endpoint protection. Whitelisting is a useful technology in ICS because it addresses the unique challenges of patch management in a control environment, where uptime is the single most important consideration.
The applicability of whitelisting was recently confirmed by an assessment of McAfee Application Control, Change Control and Integrity Control by the Pacific Northwest National Labs (PNNL).
The PNL report also highlights the importance of a security management framework as a critical component of a cyber security plan. “PNNL’s assessment … provides very high assurances (in many cases absolute assurance), that the software executives, configurations, processing environments, and external data communications endpoints possess the highest level of platform protection available for ICS environments today. Many challenges related to technical security requirements, ranging from best practice to regulatory, can be mitigate with a diligent application of this technology.”
The key is the framework, which creates a whole that is greater than the sum of it’s parts. For example, consider another finding of ICS-CERT: “Properly developed and implemented detection methods are the best strategy to quickly identify and implement a mitigation and recovery procedures … 10 [out of 17] organizations could have detected the incident by using ingress/egress filtering of known bad IP addresses or domain names.” So connect McAfee’s Global Threat Intelligence to the SIEM and instantly see all activity to pinpoint actions involving known bad actors.