As 2014 comes to a close, our subject matter experts check in on what they see as major topics and trends for the new year. (You can read all of our 2015 predictions content here.)
Recent years have made Industrial Control Systems (ICS) cybersecurity a very dynamic area, and 2014 was no different. While much progress is left to be made, some milestones like the announcement of the release of version 1.0 of the NIST Framework, show the encouraging progress industry has made in making critical infrastructure protection top of mind.
Other milestones, such as the new and sophisticated APT campaigns targeting ICS, remind us that the bad guys are constantly expanding their capabilities in going after critical infrastructure assets. We have also seen more IT-OT integration around mobility and virtualization, technologies that in the past were typically considered too unproven for OT environments.
With the year almost behind us, it is interesting to peer into 2015 to anticipate if and how some of the trends will persist and evolve. Hopefully organizations will consider what kind of security capabilities might be needed to improve control systems security posture as well as operational efficiency. Here then are three predictions I think end users will want to pay attention to in 2015:
1. Projects to Virtualize OT Datacenters Pick Up Steam
Up until early 2014, most OT information systems managers I informally surveyed knew of plans to virtualize the corporate datacenter, but had no plans of their own to do the same for operational data centers. In fact, most organizations were vehement in their position to never virtualize these environments, which house critical applications such as MES, EMS, Historians, SCADA Masters and similar automation servers.
There was quite a bit of nervousness around the stability and performance of applications sitting on multiple virtual machines sharing a hypervisor and hardware resources. But starting in the early part of 2014 I started to hear a different view where virtualization became something organizations were “looking at” and for which they even had pilot programs in the works. To be sure, there are already organizations that have virtualized servers in the automation environment. Manufacturing, for example, where the cost pressures are very extreme, has already begun the transformation and started to reap cost and efficiency advantages. But in 2015, I expect more use of this technology even in critical infrastructure environments such as utilities and transportation.
Many organizations segment their operational datacenters off from other networks/zones within the control center or PCN. With virtualized environments security architects need to now also consider the traffic between virtual machines -- the so-called east-west traffic. Maintaining security for virtualized environments could also be quite a burden and organizations need to find solutions that reduce the administrative effort around securing VMs particularly in the effort to ensure that security implementations maintain their integrity as virtual machines get moved around. What’s more, the solution for the virtualized environment should also follow the same framework and management platform as devices for securing the non-virtualized assets.
2. Growing Use of Mobility for HMI and Big-data Applications
Earlier in November, I saw a really cool demo from a vendor of solutions for “Digital Oilfields.” The demo involved the use of augmented reality glasses and a tablet device by onsite field personnel to identify assets in the oil field, monitor processes and adjust the control systems, e.g. tuning set points on PLCs. The immediate access to information and the process was very compelling. It made workers more efficient and reduced the risk of errors.
Besides Oil and Gas, mobility solutions are also appearing in other industries such as manufacturing and utilities. Some service providers are also increasing their push of mobility solutions. While there are some valid security risks, the benefits of mobility in terms of providing on-demand access to important information and the ability to apply controls while on the go are just so compelling that it is only a matter of time before these technologies become widely used.
With mobile technologies on hand several new security considerations come to the surface. Are these mobile devices configured properly and are they being used only in business-related ways? Can threats, even zero day threats, introduced via mobile devices be detected and stopped? These are just a couple of considerations when organizations introduce mobility to the automation environment. A solution must be able to not only extend the fixed-environment security to the mobile environment but also be able to secure the new risk vectors that come with a mobile use model.
3. The Emergence of General Purpose ICS Exploit Kits with Programming Capabilities
Stuxnet already showed that ICS components, e.g. centrifuges, can be damaged via cyberattacks, but that was a very targeted campaign tailored for a specific environment.
But consider the trajectory of a couple of 2014 APTs targeting ICS, including Energetic Bear which used trojanized malware and common ICS protocols, and even Black Energy which used exploits specific to HMI software, and I believe 2015 will bring availability of a general-purpose and commercially-available ICS exploit kit that can be used to control processes, essentially lowering the hurdle for cyberphysical attacks. This will result in some headlines; such a kit would no doubt be used by actors to successfully manipulate an industrial process. As usual, the attack will rely on social engineering techniques and a zero day exploit or two to be successful. With that in place it will then enumerate, monitor and control ICS assets using ICS protocols.
I won’t not feel bad if that prediction doesn’t come to fruition -- I certainly hope I’m wrong. The main message here is the bad guys are getting more sophisticated and organizations need to up their game when it comes to defending industrial control systems against these advanced threats. Many operators I talk to still have nothing in place to combat advanced threats and are just not aware of the options. Asset owners really need to revisit their posture to not only detect but also prevent advanced attacks.
Securing ICS in 2015 and Beyond with a Platform
As organizations look to revamp their cybersecurity programs for the new year and beyond, an important question is what kind of capabilities are required to better secure ICS and why? We’ve touched on several requirements already, but there are other important ones not covered. In speaking with Mario Chiock, former CISO of Schlumberger and current executive advisor for next generation security and technology Executive, we felt this question to be so important that we decided to collaborate on a white paper titled “Defining the 21st Century Cybersecurity Platform for ICS”. You can access the whitepaper here today. Here we take a look at several important topics including:
- The drivers for improving security in ICS including the nature of advanced threats
- The definition of a platform including the 9 key capabilities of a 21st century ICS security platform
- Why these capabilities are important as they pertain to improving security and operational efficiency and key things to look for when selecting a platform
- How a 21st century security platform helps with implementing the NIST Cybersecurity Framework
- A self-assessment checklist for decision makers to review as they plan their next generation ICS security architecture.
I hope you have a chance to check it out.
With that, I’ll leave you with one last thought which is a quote from Mario Chiock who says, “It is impossible to stop advanced threats with legacy security. You need a 21st Century Security Platform to Defend against 21st Century Threats.”
Have a happy, prosperous and secure 2015!
Securing Industrial Control Systems is among many focus topics at Ignite 2015, where you will tackle your toughest security challenges, get your hands dirty in one of our workshops, and expand your threat IQ. Register now to join us March 30-April 1, 2015 in Las Vegas — the best security conference you’ll attend all year.