(This article was originally published on the Findings From the Field blog.) The ICS-CERT has released a 7-page 2010 Year in Review summary. Prominent industrial security commentators Dale Peterson, PJ Coyle and Joel Langill have each posted on the summary, with Joel posting a mostly-positive review, and Dale and PJ indicating that the Stuxnet "lessons learned" section is very much lacking those important lessons the ICS-CERT should itself have learned about its own response to the worm. My own opinion of the report reflects my desire for better indications of progress in the field of ICS security. Reading between the lines of the "lessons learned" by the fly-away teams is suggestive, but such speculation should not be necessary. Fly-Away Teams As early as the summer of 2010, DHS speakers indicated that ICS-CERT fly-away teams were travelling to sites of industrial control systems incidents and assisting with investigations and remediation. At the fall ICSJWG conference at the end of October 2010, the DHS reported some 14 such fly-away investigations in 2010 and had promised a report on the work of the teams. If this is the report, it leaves a lot to be desired. The section on fly-away teams is less than a page long. The write-up includes some mildly suggestive "lessons learned," but no real summary or statistics. There is not even a final number as to how many sites requested or received on-site assistance. The lack of basic statistics on industrial security incidents is a significant impediment to persuading owners and operators to make changes in their security posture. The Repository of Industrial Security Incidents for example, contains some 200 incident reports, most of them from the last ten years. However, if you look closer at public figures released by the organization, nearly one half of those incidents between 2004 and 2008 were accidents rather than examples of malicious intent, and more than half of the remainder are simple virus infections. This is a very small data set and access to the data set, while inexpensive, costs more than some organizations spend annually on any aspect of industrial security. The ICS-CERT is in a unique position to gather a much more comprehensive data set and so significantly increase awareness of industrial security. If this is the most we'll see of the activity of fly-away teams in 2010, it is not nearly enough. Speculation Given the published RISI data, it is possible to do a little bit of speculation - reading between the lines of the fly-away teams lessons learned. Four of the five "lessons learned" in the year-in-review summary read:
The remaining lesson:
Looking Forward The ICS-CERT report leaves us doing what many of us have been doing for years now regarding the prevalence of ICS security incidents: speculating. The speculation is interesting only because there so few statistics available from any source, no offence to RISI. The ICS-CERT has an opportunity to provide real insight into the state of industrial security, without compromising the confidentiality of any individual site. In the ICS industry there is enormous interest in the answers to the simplest of questions. For example:
|
NEWS, TECHNOLOGIES, PRACTICES, AND EXPERIENCE
Note: Comments in this blog are blocked for any posting 14 days old, or older
2011-02-08
Still No Report on Fly-Away Teams |
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment