By Cevn Vibert, ICS Industrial Cyber Physical Security Advisor

Cevn will be hosting the session Grass Roots Industrial Control Security at (ISC)² Secure Summit UK , between 12th and 13th December 2017.

The industrial cybersecurity market is facing rapid changes as more threats are discovered, more impact is felt by end-users and cybersecurity vendors vie for leadership.

My session will highlight both alerts and advice for end-users of automation and control systems (ICS/OT), as well as selected advisory notes for practitioners of Industrial Cyber Physical Security. Strategic methodologies and programmes of activities for mitigation of impacts on IIOT, IOT and how holistic integrated security can provide comprehensive situational awareness will additionally be provided. Multiple types of security are addressed, together with some mythical attack and defense scenarios. The history of industrial cyber-attacks are mentioned briefly, to counterpoint the prevalent myths of defense, and finally some alerts to the cyber arms race.

End-users face increased pressure to improve their security stance, and I will discuss some successful methods for implementing these improvements including a “stairway”, a “jigsaw” and an “A-Team”.

The cyber physical bad guys are now attacking IOT and IIOT. They are constantly getting better at attacking, so the good guys must also constantly get better at defending. There is much evidence that most good guys have not even properly started to improve their security stance yet, so my session will be a serious ‘call-to-action’ too.

Our modern society is built on automation, control systems and their management. The “Things”, mentioned often in the Internet of Things (IOT) and the Industrial Internet of Things (IIOT), are becoming smarter and more ubiquitous. If you think about all the automation controlled “Things” that have contributed to your day and try to list them, you may be surprised and perhaps a little worried to know that they are also being invisibly attacked.

Food manufacturing, transport (planes, trains, automobiles etc.), clothing, water treatment, waste processing and management, pharmaceutical manufacturing and testing, logistics, medical device manufacturing, energy (generation, transmission and distribution), power, defense, hospitals, cashpoints, and beverage dispensers are just some of the examples of the vast variety of “Things” in our personal lives.

Critical national infrastructures are under immense pressure from Government, regulators, and themselves to enhance their defenses, improve cyber monitoring and to re-work the gargantuan quantities of legacy systems. This is not an easy task with industrial IT, due to a range of largely legacy problems. The aging and legacy Industrial systems were not designed to be monitored and interrupted and scanned by active defense solutions. These security problems are both procedural, legislative and technical, so all end-users are now having to review remediation against enormous business and operational risks.

The rise in attacks on these ‘Things’ has started to concern people. National Infrastructures are investing in improvement plans, many markets are ahead of the game, but so much more is needed to be done. Meanwhile the bad guys get better at the attacking.

We now know of so many new cyber perpetrators or threats, that there is a veritable ‘cyber zoo’ of attackers: Yetis, Bears, Dragons, Dragonfly, Worms, Penguins and more.… A whole new cyber genus is perhaps yet to come?

There are also many new words and references in our evolving cyber weapons vocabulary:  Cyber Zombies, Watering holes, Slammer, Nachi, Mahdi, Shamoon, Red October, Petya, ShadowBrokers, Conficker, Duqu, Flame, Havex, APTs, Blasters, Dumpsters, Drive-bys, Honeypots, Pastebin, Phishing, BotNets, Trojans, Heartbleed, Modbus, CANbus and more are all being aired or created on social media and on news sources around the world.

Figure 2: Industrial Cyber words (used wordle.org)

Many conferences now are haranguing the audience as being ‘incompetent’, merely in tongue-in-cheek, but still aiming at both the vendors and integrators who do not implement security-by-design in their products and systems together with the security industry which has not yet eradicated cyber-attacks by leap-frogging the bad guys with new innovative defenses and solutions.

The steps to climb the stairway to security can be very high, certainly for organisations with extensive legacy systems, but the steps do need to be climbed, and sooner rather than later. The best approach is often to build small steps, parallel steps and think differently.

Remember, the bad guys are always improving, so it is essential for organisations to also keep improving, but more than that, looking for that giant leap ahead in defenses. There is talk of new secure operating systems, new secure trusted computer systems, and of the increased lock-down and monitoring of The Internet. While all these advances are being made, are they appearing on the market quickly enough to make that giant leap forward in the cyber arms race?

The industry must now stop talking about Stuxnet and start talking about innovation and new ways of thinking. Keynote speakers are talking about the soft skills of the cyber war. Cyber-attacks are made by humans, often exploiting human weaknesses as key building blocks of their attacks. The cyber defense industry must therefore recognise this more and build security improvement programmes which include humans as the core to the solution.