More than 65% of companies with critical infrastructure suffered at least one attack in the past 1 year(1). Close to 80% expect a successful breach to their Industrial Control systems within the next two years. (1). In recent news(3) we learnt that North Korean Hacking group APT37 can steal information from air-gapped networks. “Their malware is quite sophisticated and is capable of stealing documents from the air-gapped or disconnected networks. Primary targets include government, military, defense, finance, energy and electric utility sectors,” (3). Hackers are moving faster and are always ahead and businesses can’t keep up with the pace. There are different solutions to protect the critical infrastructure, these solutions are generating data at the speed of light and many companies struggle to manage this data and even fewer companies are able to utilize the data to make decisions. Being unable to make informed decisions and just relying on the tools and solutions is not enough.
“The risk to industrial control systems and SCADA is believed to have substantially increased. Fifty-seven percent of respondents agree that cyber threats are putting industrial control systems and SCADA at greater risk. Only 11 percent say the risk has decreased due to heightened regulations and industry-based security standards.” (Critical Infrastructure: Security Preparedness and Maturity (July 2014), Unisys and Ponemon)
Organizations that are leveraging the data to change their security posture, are more successful at being equipped to deal with the complexity and occurrence of cyber threats. Upgrading existing systems and patching on regular basis will not be enough and these activities will not be performed in a cost-effective way without forfeiting critical security position. Research has shown that many organizations are not getting actionable real-time threat insights about security exploits.
“According to 34 percent of respondents, their companies do not get real-time alerts, threat analysis and threat prioritization intelligence that can be used to stop or minimize the impact of a cyber attack. If they do receive such intelligence, 22 percent of respondents say they are not effective. Only 15 percent of respondents say threat intelligence is very effective and actionable” (Critical Infrastructure: Security Preparedness and Maturity (July 2014), Unisys and Ponemon)
As technology continues to develop, Information Technology (IT) and Operational Technology (OT) utilized by critical infrastructure are increasingly being networked together — and more frequently connected to the Internet. This brings great risk of security breaches or malicious attacks on Critical Infrastructure. As Digital and Physical worlds of critical infrastructure blend flawlessly to deliver new customer experiences it will be crucial to keep pace with the security posture of IT & OT.
So one might ask how does a company keep pace with the security posture of IT & OT. ICS-CERT strongly encourages taking immediate protective action to secure ICS by utilizing the defense-in-depth principals. Improving cybersecurity posture by implementing an ICS Defense-in-Depth strategy starts with developing an understanding of the business risk associated with ICS cybersecurity and managing that risk according to the overall business risk appetite. The individuals responsible for managing and maintaining the functionality of control systems need to know the methods to assess and determine cybersecurity risk and how to apply that knowledge to their unique environment. A clear understanding of the threats to the business; the operational processes and technology used within the organization; and its unique functional and technical requirements enables an organization to embed a layered approach for cybersecurity monitoring and defense into the day-to-day operation of their ICS(2). Here are all the elements involved with ICS-CERT Defense-in-Depth strategy: (2)