The frequency and urgency of conversations about Industrial Control Systems (ICS), Supervisory Control and Data Acquisition (SCADA), and Operational Technology (OT) network security are definitely on the rise. Everywhere you look there are articles, presentations, webinars, and claims of new and better solutions crowding this previously uncrowded space.
To help you, our readers, sort through all of the current noise surrounding this topic we sat down with Phil Neray of CyberX at the recent Black Hat conference in Las Vegas to get an expert’s take on the ICS/SCADA security space. CyberX was a pioneer in this segment, you might say “doing IIoT before IIoT was cool.”
“It is an interesting space because for many years CISOs and corporate security organizations were only responsible for corporate IT network and not responsible for networks that ran inside the plants and substations and refineries. Those were managed by the people that run the plants. What has happened in the last year to two years is that the responsibility for these internal networks has shifted to the corporate security organization and CISOs. The idea being that if you are being attacked by a nation-state, such as Russia, you cannot expect the VP of manufacturing to know what to do to defend against those organizations,” Phil explained.
CyberX was founded in 2013. Phil said, “We were the first company in this space. That has allowed us to develop the most complete and the most mature platform on the market. We will have approaching 75 employees by the end of this year and we have raised 30 million dollars in venture capital funding. We have deployments around the world including two of the top five energy companies in the United States. We’re headquartered in Boston with R&D and threat intelligence teams in Israel. Our founders came out of the Israeli military.”
CyberX published the first-ever “Global ICS & IIoT Risk Report,” a DBIR-like analysis of real-world vulnerabilities found in 375 production ICS networks worldwide.
Some of the key findings of this report include:
- Nearly 3 out of 5 sites have plain text passwords traversing their control networks.
- Half aren’t running any antivirus protection.
- Nearly half have at least one unknown or rogue device.
- On average, nearly one-third of all devices (28%) at each site are vulnerable.
- 82% of industrial sites are running remote management protocols.
When asked why it is ill-advised to simply adopt IT network security solutions to OT networks, Phil explained. “Industrial networks contain a complex mix of specialized protocols, including proprietary protocols developed for specific families of industrial automation devices. This heterogeneous mix complicates security for OT environments. In addition, many protocols were originally designed when robust security features such as authentication were not even a requirement. In those days, it was assumed that simply having connectivity to a device was sufficient authentication.”
To further complicate OT security, industrial organizations have historically lacked any visibility into OT network activity and assets because monitoring tools designed for corporate IT networks are “blind” to OT-specific protocols like Modbus TCP. CyberX’s Global ICS & IIoT Risk Report shows, by illustration, the following distribution of industrial protocols.
Phil believes that ICS/SCADA systems are vulnerable and the threats against them are ever-increasing. Many experts in the security industry agree that these systems are poised to become the next frontier for cyber attacks. These systems are particularly attractive to cyber-ne’er-do-wells because they offer the potential for causing catastrophic physical results.
CyberX maintains that when it comes to protecting these systems a new approach is required. This new approach must be continuous and real-time to immediately alert on unusual activity with minimal false positives. An effective approach for protecting OT Networks must be passive and non-intrusive with zero impact on OT networks and devices. It must also be heterogeneous and vendor-agnostic with broad support for specialized ICS protocols and control system equipment from all ICS vendors. And finally, it must be integrated with existing SOC workflows and security tools, including centralized SIEMS, firewalls, IDS/ IPS, and security analytics techniques.
To find simplicity you must look for a comprehensive way to address ICS risk. Look for a platform designed from the ground up to operate in the OT network environment. Here is a list of solution characteristics that Phil and CyberX suggest you will need to effectively protect your critical systems.
- Rapid non-intrusive deployment
- Real-time anomaly detection of ICS threats
- Expert ICS threat intelligence
- Streamlined incident response, threat hunting and forensics
- Comprehensive ICS asset discovery and network topology mapping
- Non-invasive ICS risk and vulnerability assessments
- Automated threat modeling
Steven Bowcut, CPP, PSP is the Editor-in-Chief for Brilliance Security Magazine