About the ICS-CERT Annual ICS Summary Report 2016

In case you missed the report, ICS-CERT just released their Annual 2016 Industrial Control Systems Assessment Summary Report. Leveraging NIST SP-800-53 Categories, the Report tallies up weaknesses found in a variety of industrial and Critical Infrastructure (CI) sectors based on their security assessments of. According to the report:

“In FY 2016, ICS-CERT conducted assessments in 12 of the 16 CI sectors. These include the Chemical (7 assessments), Commercial Facilities (4), Communications (5), Critical Manufacturing (5), Dams (2), Emergency Services (3), Energy (22), Food and Agriculture (3), Government Facilities (10), Information Technology (3), Transportation Systems (10), and Water and Wastewater Systems (56)”

The report found that six categories accounted for more than 1/3 of all vulnerabilities across the CI sectors:

  1. Boundary Protection
  2. Least Functionality
  3. Identification and Authentication
  4. Physical Access Control
  5. Audit Review, Analysis, and Reporting
  6. Authenticator Management

I think the report highlights several important weaknesses, several of which have solutions being pioneered by Indegy. Part of our messaging from Day 1 has always been the  Industrial Controllers (PLCs, RTUs, DCS, etc) are where the major risks are, and the importance of  getting visibility and control over the Industrial Controller environment is paramount to securing it. In the table below, I’ve detailed a few ways that Indegy can help with succeeding in implementing the recommendations outlined in the Assessment Report.

 

Category

How Indegy Helps

Boundary Protection

As the report highlights several times, the air-gap is gone, interconnectivity is the norm, and the security between networks is lacking. Using Indegy, organizations can get a better handle on what industrial assets are present, what they should look like, and who should be talking to them. Any bypass or misconfiguration of a Boundary Protection that targets the industrial environment would result in traffic that Indegy would alert on. Also, verifying that the Boundary Protections are working as intended is something that Indegy could provide by using our network traffic visibility tools.

Least Functionality

Rogue internal access and malicious party access are the main risks associated with weaknesses in Least the Functionality category. These types of threats and their actions are easily detected by Indegy in both the Asset Inventory and Activities auditing technologies, and can also be alerted upon.

Identification and Authentication

Trusted insiders like employees, their partners, and others, have a lack of accountability and traceability when a user account is compromised. Indegy can provide a full audit trail of any action that the account – compromised or not, took on the industrial controllers.

Physical Access Control

Unauthorized physical access is a major finding of the report. Admins, engineers, and attackers may hop the fence, or otherwise bypass the network, and plug in locally to the industrial controllers. By leveraging Indegys Snapshot technology, organizations can detect physical attacks and modifications to the control logic on the industrial controllers.

Audit Review, Analysis, and Reporting

Lack of audit trails is a common finding in both the OT and IT worlds.  Indegy provides full visibility and audit of the industrial protocols, including the proprietary protocols used by engineers to reprogram the code-logic in the controllers.

Authenticator Management

Password management and mitigating compromises was the last of the 6 most common findings. Indegy works with Partners to provide a solution where end-to-end IT/OT coverage is needed, and can map industrial controller activities to logged-in users, easily highlighting any anomalous behavior or indications of a password compromise.

 

I think it’s a good read and chock full of advice for anyone needing guidance to secure their industrial or Critical Infrastructure facilities.

For more information contant us at:  info@indegy.com 

Schedule a call with Indegy