Written by Peter Stancik, ESET We Live Security
Last month, ESET researchers confirmed the discovery of a new type of sophisticated malware now known as Industroyer, highlighting the threat posed to industrial control systems. Indeed, this is considered to be the first-ever designed to affect ICS industrial control systems directly, and is thought to be behind the December 2016 cyberattack on Ukraine’s power grid.
Further research from the SANS Institute, the “global leader in information security training and certification”, confirms that security of industrial control systems is increasingly seen and understood to be a serious issue.
Their recent paper, Securing Industrial Control Systems—2017, is based on polling hundreds of professionals in the field of ICS security. Its goal is to gather related information and map the attitudes of industrial control security practitioners in regard to the security of their systems, threats and attack vectors, and defense measures.
The research shows that, predictably, the respondents’ highest priority is keeping their operational technology running. Answering the question “What are your primary business concerns when it comes to the security of your control systems?”, nearly a quarter put “Ensuring reliability and availability of control systems” first; among the top three priorities is this one for over 50% of respondents.
To measure the real scope of ICS security, the question “Have your control systems been infected or infiltrated in the past 12 months?” was included in the survey. The most common response, “Not that we know of,” was selected by 40%, while less than a half of respondents, 19%, chose “No, we’re sure we haven’t been infiltrated”.
“THE SANS SURVEY SHOWS THAT ICS SECURITY EXPERTS SERIOUSLY WORRY ABOUT SECURITY.”
As for the overall security, the respondents answered the same key question as in the previous years: “How serious does your organization consider the current threats to control system cybersecurity to be?” 69% of respondents rated the perceived level of threat as severe/critical or high – a two percentage point increase compared to last year’s survey.
The biggest three threats cited by the respondents were one, devices and “things” (that cannot protect themselves) added to networks; two, internal threats (accidental); and three, external threats (hacktivism, nation states). Extortion, ransomware and other financially motivated crimes came in fourth place, while external threats, via a supply chain or partnerships was far behind at number eight (out of 10 options offered to the respondents).
As for the defense measures that the respondents currently have in use, anti-malware technologies emerged as the most relied-upon measure, followed by access control solutions. The top three wanted technologies or solutions were industrial intrusion detection, control system network security monitoring and security awareness training for staff, contractors and vendors.
For interpreting the survey’s results, it should be noted that the responses were collected in February-March of 2017 (as its editors told WeLiveSecurity). This means that the respondents’ attitudes were not influenced by the news about the discovery of Industroyer – arguably the most important recent news story that is related to ICS security, which appeared in the industry’s media in May.
“The SANS survey shows that ICS security experts seriously worry about security,” commented Robert Lipovský, Senior Malware Researcher at ESET. “It will be interesting to see if the discovery of Industroyer pushes these worries to an even higher level – future reports will show.”
Industroyer was first analyzed by ESET researchers who discovered its capability to disrupt industrial processes – in the case investigated, precisely targeting a particular energy transmission infrastructure.
As a highly configurable tool, Industroyer can be easily refitted to attack similar energy infrastructures and even re-purposed to attack industrial control systems in other industries such as transportation or manufacturing.
“It is a reminder to all those responsible for critical systems around the world, many of which were designed without security in mind. Now’s the time to take measures for securing them – and the SANS research shows that security experts are taking this issue seriously,” concludes Lipovský.