Still No Report on Fly-Away Teams

(This article was originally published on the Findings From the Field blog.) The ICS-CERT has released a 7-page 2010 Year in Review summary. Prominent industrial security commentators Dale Peterson, PJ Coyle and Joel Langill have each posted on the summary, with Joel posting a mostly-positive review, and Dale and PJ indicating that the Stuxnet "lessons learned" section is very much lacking those important lessons the ICS-CERT should itself have learned about its own response to the worm. My own opinion of the report reflects my desire for better indications of progress in the field of ICS security. Reading between the lines of the "lessons learned" by the fly-away teams is suggestive, but such speculation should not be necessary. Fly-Away Teams As early as the summer of 2010, DHS speakers indicated that ICS-CERT fly-away teams were travelling to sites of industrial control systems incidents and assisting with investigations and remediation. At the fall ICSJWG conference at the end of October 2010, the DHS reported some 14 such fly-away investigations in 2010 and had promised a report on the work of the teams. If this is the report, it leaves a lot to be desired. The section on fly-away teams is less than a page long. The write-up includes some mildly suggestive "lessons learned," but no real summary or statistics. There is not even a final number as to how many sites requested or received on-site assistance. The lack of basic statistics on industrial security incidents is a significant impediment to persuading owners and operators to make changes in their security posture. The Repository of Industrial Security Incidents for example, contains some 200 incident reports, most of them from the last ten years. However, if you look closer at public figures released by the organization, nearly one half of those incidents between 2004 and 2008 were accidents rather than examples of malicious intent, and more than half of the remainder are simple virus infections. This is a very small data set and access to the data set, while inexpensive, costs more than some organizations spend annually on any aspect of industrial security. The ICS-CERT is in a unique position to gather a much more comprehensive data set and so significantly increase awareness of industrial security. If this is the most we'll see of the activity of fly-away teams in 2010, it is not nearly enough. Speculation Given the published RISI data, it is possible to do a little bit of speculation - reading between the lines of the fly-away teams lessons learned. Four of the five "lessons learned" in the year-in-review summary read: Many asset owners reported that they were not aware of the resources available to keep them informed of current threat information or vulnerabilities to ICS. A common understanding of the potential impacts of cyber vulnerabilities (loss or degradation of process control, loss of sensitive information, etc.) does not exist across all CIKR sectors. Asset owners need to employ consistent management of privileges on their networks ⎯ who has which privileges and on which part of the network they apply for each individual. Asset owners need to develop adequate policies and procedures to educate employees and reduce the potential of unintended cyber incidents resulting from untrained workforce. It is impossible to be certain, but the above all seem consistent with the RISI statistic that more than one half of malicious incidents are common worm/virus infections. The lessons suggest that the most common root cause of such infections is inattention on the part of employees at the site. If employees are not aware of ICS security issues or the consequences of compromise, and employees tend to have greater privileges on their networks than they need to do their jobs, then you have a recipe for virus propagation. The remaining lesson: Forensics analysis is enhanced when the organization has established a baseline dataset for network configuration and typical traffic; this allows for more effective identification of intrusions. says less about the incidents and more about what kind of support the fly-away teams would like to have when they arrive at a site for an investigation. Looking Forward The ICS-CERT report leaves us doing what many of us have been doing for years now regarding the prevalence of ICS security incidents: speculating. The speculation is interesting only because there so few statistics available from any source, no offence to RISI. The ICS-CERT has an opportunity to provide real insight into the state of industrial security, without compromising the confidentiality of any individual site. In the ICS industry there is enormous interest in the answers to the simplest of questions. For example: How many incidents were the fly-away teams called to in the year? Of those visits, how did they break down by: false alarms/accidents, common malware, deliberate insider attacks and advanced threats? What is the smallest set of security measures: technology, training, etc., that would have prevented a majority - say 75% - of the attacks? Ie: what do the attacks suggest is still the biggest thing sites are getting wrong? How did the attacks break down by consequences: clean-up costs only, physical process downtime, or physical process damage? Indications are that the ICS-CERT incident data set will quickly become the largest in existence. Very high-level summaries of that data, without revealing any site details, could provide statistically meaningful trends and guidance to industry. We need industrial users to become aware of security issues, and we need to know as a society whether precautions at industrial sites are getting better or worse. The ICS-CERT data can go a long way towards achieving these ends.